WebUI: improve HTML escaping

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-07 23:00:55 +03:00 · 2022-09-13 19:16:07 +02:00
parent ea3c1d7a3b
commit f8a19f747d
5 changed files with 68 additions and 35 deletions
--- a/templates/webclient/shareupload.html
+++ b/templates/webclient/shareupload.html
@@ -99,7 +99,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
                    let response;
                    try {
                        var f = files[index];
-                        var uploadPath = '{{.UploadBasePath}}/'+fixedEncodeURIComponent(f.name);
+                        var uploadPath = '{{.UploadBasePath}}/'+fixedEncodeURIComponent(escapeHTML(f.name));
                        var lastModified;
                        try {
                            lastModified = f.lastModified;