Plug XSS hole in file upload name

2025-04-25 01:32:36 +02:00 · 2017-01-25 20:15:47 -08:00 · 2017-01-25 20:15:47 -08:00 · 4f09d954e5
commit 4f09d954e5
parent 89f123d125
1 changed files with 1 additions and 1 deletions
--- a/app/site_files.rb
+++ b/app/site_files.rb
@ -116,7 +116,7 @@ post '/site_files/upload' do
      file_upload_response "#{file[:filename]} is too large, upload cancelled."
    end
    if !current_site.okay_to_upload? file
-      file_upload_response %{#{file[:filename]}: file type (or content in file) is only supported by <a href="/supporter">supporter accounts</a>. <a href="/site_files/allowed_types">Why We Do This</a>}
+      file_upload_response %{#{Rack::Utils.escape_html file[:filename]}: file type (or content in file) is only supported by <a href="/supporter">supporter accounts</a>. <a href="/site_files/allowed_types">Why We Do This</a>}
    end
  end