From ada821c076d67d1147a195178223d0b4a6d8cecc Mon Sep 17 00:00:00 2001
From: Matthieu Marcillaud <marcimat@rezo.net>
Date: Sun, 7 Jan 2024 22:07:19 +0100
Subject: [PATCH] =?UTF-8?q?fix:=20=C3=89viter=20de=20possibles=20XSS=20ave?=
 =?UTF-8?q?c=20le=20nom=20des=20fichiers=20upload=C3=A9s=20(en=20js)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

(cherry picked from commit df7543f1dc9d04f068dd12c901b89a98db535961)
---
 javascript/bigup.js       | 34 ++++++++++++++++++++++------------
 javascript/bigup.utils.js | 12 +++++++++++-
 2 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/javascript/bigup.js b/javascript/bigup.js
index bd84fc1..5b9b5be 100644
--- a/javascript/bigup.js
+++ b/javascript/bigup.js
@@ -190,18 +190,28 @@ function Bigup(params, opts, callbacks) {
 				var extension = $.trouver_extension(file.name);
 
 				var template =
-					'\n<div class="fichier">'
-					+ '\n\t<div class="description">'
-					+ '\n\t\t<div class="vignette_extension ' + extension + '" title="' + file.type + '"><span></span></div>'
-					+ '\n\t\t<div class="infos">'
-					+ '\n\t\t\t<span class="name"><strong>' + file.name + '</strong></span>'
-					+ '\n\t\t\t<span class="size">' + $.taille_en_octets(file.size) + '</span>'
-					+ '\n\t\t</div>'
-					+ '\n\t\t<div class="actions">'
-					+ '\n\t\t\t<span class="bigup-btn btn btn-default cancel" onClick="$.bigup_enlever_fichier(this); return false;">' + _T("bigup:bouton_annuler") + '</span>'
-					+ '\n\t\t</div>'
-					+ '\n\t</div>'
-					+ '\n</div>\n';
+					'\n<div class="fichier">' +
+					'\n\t<div class="description">' +
+					'\n\t\t<div class="vignette_extension ' +
+					$.escapeHtml(extension) +
+					'" title="' +
+					file.type +
+					'"><span></span></div>' +
+					'\n\t\t<div class="infos">' +
+					'\n\t\t\t<span class="name"><strong>' +
+					$.escapeHtml(file.name) +
+					'</strong></span>' +
+					'\n\t\t\t<span class="size">' +
+					$.taille_en_octets(file.size) +
+					'</span>' +
+					'\n\t\t</div>' +
+					'\n\t\t<div class="actions">' +
+					'\n\t\t\t<span class="bigup-btn btn btn-default cancel" onClick="$.bigup_enlever_fichier(this);">' +
+					_T('bigup:bouton_annuler') +
+					'</span>' +
+					'\n\t\t</div>' +
+					'\n\t</div>' +
+					'\n</div>\n';
 
 				return template;
 			}
diff --git a/javascript/bigup.utils.js b/javascript/bigup.utils.js
index 872123b..4a1bad9 100644
--- a/javascript/bigup.utils.js
+++ b/javascript/bigup.utils.js
@@ -171,4 +171,14 @@ $.mime_type_image = function(extension) {
 			break;
 	}
 	return mime;
-};
\ No newline at end of file
+};
+
+/** Escape HTML */
+$.escapeHtml = function(unsafe) {
+	return unsafe
+		.replaceAll('&', '&amp;')
+		.replaceAll('<', '&lt;')
+		.replaceAll('>', '&gt;')
+		.replaceAll('"', '&quot;')
+		.replaceAll("'", '&#039;');
+}
-- 
GitLab