zydronium/neocities
1
0
Fork 0
mirror of https://github.com/neocities/neocities.git synced 2025-04-24 17:22:35 +02:00
Code Issues Projects Releases Packages Wiki Activity

Plug XSS hole in file upload name

Browse source
This commit is contained in:
Kyle Drake 2017-01-25 20:15:47 -08:00
parent 89f123d125
commit 4f09d954e5
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/site_files.rb
View file

@ -116,7 +116,7 @@ post '/site_files/upload' do
file_upload_response "#{file[:filename]} is too large, upload cancelled."
end
if !current_site.okay_to_upload? file
file_upload_response %{#{file[:filename]}: file type (or content in file) is only supported by <a href="/supporter">supporter accounts</a>. <a href="/site_files/allowed_types">Why We Do This</a>}
file_upload_response %{#{Rack::Utils.escape_html file[:filename]}: file type (or content in file) is only supported by <a href="/supporter">supporter accounts</a>. <a href="/site_files/allowed_types">Why We Do This</a>}
end
end