From 4ec947715d9faafcc71bc3fc3a5022a7919dbabf Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Wed, 09 Sep 2015 03:12:11 -0400 Subject: [PATCH] Fix XSS issue in drag-n-drop file uploads (#1490530) --- program/js/app.js | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/program/js/app.js b/program/js/app.js index 603d2f8..3d3eeea 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -7281,7 +7281,8 @@ var submit_data = function() { var multiple = files.length > 1, ts = new Date().getTime(), - content = '<span>' + (multiple ? ref.get_label('uploadingmany') : files[0].name) + '</span>'; + // jQuery way to escape filename (#1490530) + content = $('<span>').text(multiple ? ref.get_label('uploadingmany') : files[0].name).html(); // add to attachments list if (!ref.add2attachment_list(ts, { name:'', html:content, classname:'uploading', complete:false })) -- Gitblit v1.9.1