From 4f09d954e5d3d80f13bfaa75526c36a221b19446 Mon Sep 17 00:00:00 2001
From: Kyle Drake <kyle@kyledrake.net>
Date: Wed, 25 Jan 2017 20:15:47 -0800
Subject: [PATCH] Plug XSS hole in file upload name

---
 app/site_files.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/site_files.rb b/app/site_files.rb
index 1efac13d..02738b95 100644
--- a/app/site_files.rb
+++ b/app/site_files.rb
@@ -116,7 +116,7 @@ post '/site_files/upload' do
       file_upload_response "#{file[:filename]} is too large, upload cancelled."
     end
     if !current_site.okay_to_upload? file
-      file_upload_response %{#{file[:filename]}: file type (or content in file) is only supported by <a href="/supporter">supporter accounts</a>. <a href="/site_files/allowed_types">Why We Do This</a>}
+      file_upload_response %{#{Rack::Utils.escape_html file[:filename]}: file type (or content in file) is only supported by <a href="/supporter">supporter accounts</a>. <a href="/site_files/allowed_types">Why We Do This</a>}
     end
   end