Skip to content

Commit

Permalink
dm-4880 XSS vulnerability fix 2 (#1132)
Browse files Browse the repository at this point in the history
adds lodash function `escape` to ensure safe encoding of chars rendered to html as filename to prevent xss vulnerability
  • Loading branch information
PhilipDeFraties authored Nov 28, 2024
1 parent a4f3f66 commit 4ccd27e
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion app/assets/javascripts/practice_editor_utilities.es6
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,8 @@ function attachAddResourceListener(formSelector, container, sArea, sType) {
// hide file upload so user can't upload a new file once added it is added to save queue
if (sType === 'file') {
let $uploadInputLabel = $(`#${container}`).find('.dm-file-upload-label')
$(`<div>File: ${fileName}</div>`).insertAfter($uploadInputLabel)
let escapedFileName = _.escape(fileName);
$(`<div>File: ${escapedFileName}</div>`).insertAfter($uploadInputLabel)
$uploadInputLabel.remove();
$(`#${container}`).find('.usa-file-input').addClass('display-none');
}
Expand Down

0 comments on commit 4ccd27e

Please sign in to comment.