diff options
| author | Cesar G <prototech91@gmail.com> | 2014-02-17 23:56:58 -0800 |
|---|---|---|
| committer | Cesar G <prototech91@gmail.com> | 2014-02-18 00:01:05 -0800 |
| commit | 627dc886b349466091cbf82ce9683b73f91affae (patch) | |
| tree | ced2e678bd9f0b27ec0febdb3c995dbbf717f4f9 /phpBB | |
| parent | 233bdfa5f639e44a8315736bc917fb8322bd0e15 (diff) | |
| download | forums-627dc886b349466091cbf82ce9683b73f91affae.tar forums-627dc886b349466091cbf82ce9683b73f91affae.tar.gz forums-627dc886b349466091cbf82ce9683b73f91affae.tar.bz2 forums-627dc886b349466091cbf82ce9683b73f91affae.tar.xz forums-627dc886b349466091cbf82ce9683b73f91affae.zip | |
[ticket/12212] Encode the attachment file name before presenting to user.
The uploader inserts the file name directly into the page at the moment without
handling any HTML special chars that may be in the name. This results in HTML
that may be present getting rendered in error messages and the attachments
list. This simply causes layout breakage for the user, since the backend takes
care of sanitizing the name. Once phpBB returns the file data for the uploaded
file, the name in the attachment list gets replaced by the one that phpBB
provides.
PHPBB3-12212
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/assets/javascript/plupload.js | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/phpBB/assets/javascript/plupload.js b/phpBB/assets/javascript/plupload.js index a90757d487..5e90c5284c 100644 --- a/phpBB/assets/javascript/plupload.js +++ b/phpBB/assets/javascript/plupload.js @@ -162,7 +162,7 @@ phpbb.plupload.insertRow = function(file) { var row = $(phpbb.plupload.rowTpl); row.attr('id', file.id); - row.find('.file-name').html(file.name); + row.find('.file-name').html(plupload.xmlEncode(file.name)); row.find('.file-size').html(plupload.formatSize(file.size)); if (phpbb.plupload.order == 'desc') { @@ -496,6 +496,8 @@ $('#file-list').on('click', '.file-error', function(e) { * Fires when an error occurs. */ uploader.bind('Error', function(up, error) { + error.file.name = plupload.xmlEncode(error.file.name); + // The error message that Plupload provides for these is vague, so we'll be more specific. if (error.code === plupload.FILE_EXTENSION_ERROR) { error.message = plupload.translate('Invalid file extension:') + ' ' + error.file.name; |