Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
HTML-encode file names in AjaxFileUpload #483
On Linux and Mac, it's possible to use unsafe HTML characters in file names. File names are not encoded in the AjaxFileUpload.js script.
Technically, it's an XSS vulnerability. However, the attack vector is very limited. Pre-conditions:
On Window servers, malicious file names always cause a server-side error thanks to invalid characters checks:
Therefore, malicious code can only be executed in the same browser session in which the file is uploaded.
There's a discussion about escaping single quote: https://webmasters.stackexchange.com/q/12335. Sometimes it's important to HTML-encode it.