|
@@ -292,13 +292,17 @@ Template.cardAttachmentsPopup.events({
|
|
|
let uploads = [];
|
|
let uploads = [];
|
|
|
for (const file of files) {
|
|
for (const file of files) {
|
|
|
const fileId = new ObjectID().toString();
|
|
const fileId = new ObjectID().toString();
|
|
|
- const warning = "WARNING-XSS-SANITIZED-";
|
|
|
|
|
let fileName = DOMPurify.sanitize(file.name);
|
|
let fileName = DOMPurify.sanitize(file.name);
|
|
|
|
|
|
|
|
|
|
+ // If sanitized filename is not same as original filename,
|
|
|
|
|
+ // it could be XSS that is already fixed with sanitize,
|
|
|
|
|
+ // or just normal mistake, so it is not a problem.
|
|
|
|
|
+ // That is why here is no warning.
|
|
|
if (fileName !== file.name) {
|
|
if (fileName !== file.name) {
|
|
|
- // console.warn('Detected possible XSS in file: ', file.name + '. Renamed to: ', fileName + '.');
|
|
|
|
|
- // Add warning about XSS sanitized:
|
|
|
|
|
- fileName = warning.concat(fileName);
|
|
|
|
|
|
|
+ // If filename is empty, only in that case add some filename
|
|
|
|
|
+ if (fileName.length === 0) {
|
|
|
|
|
+ fileName = 'Empty-filename-after-sanitize.txt';
|
|
|
|
|
+ }
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
const config = {
|
|
const config = {
|
Lauri Ojansivu