Description
In src/js/ui/file-import.js (~line 204), the download_ab function sets the download attribute on an anchor element using the raw filename:
function download_ab(file_name, array_buff) {
const blob = new Blob([array_buff], { type: "application/octet-stream" });
const link = document.createElement("a");
link.href = URL.createObjectURL(blob);
link.download = file_name;
link.click();
URL.revokeObjectURL(link.href);
}While escapeHtml in renderer.js sanitizes filenames for HTML display (preventing XSS in the DOM), the download attribute receives the raw filename. Browsers generally handle this safely, but filenames with characters like ../, null bytes, or excessive length could behave unexpectedly on certain OS/browser combinations.
Risk Level
Low — filenames originate from the user's own filesystem or controlled suffixes (e.g., .fk extension).
Suggested Fix
Add a simple sanitization pass before setting the download attribute:
- Strip path separators (
/, \)
- Remove null bytes
- Limit length (e.g., 255 chars)
Found during code review of PR #34.
Description
In
src/js/ui/file-import.js(~line 204), thedownload_abfunction sets thedownloadattribute on an anchor element using the raw filename:While
escapeHtmlinrenderer.jssanitizes filenames for HTML display (preventing XSS in the DOM), thedownloadattribute receives the raw filename. Browsers generally handle this safely, but filenames with characters like../, null bytes, or excessive length could behave unexpectedly on certain OS/browser combinations.Risk Level
Low — filenames originate from the user's own filesystem or controlled suffixes (e.g.,
.fkextension).Suggested Fix
Add a simple sanitization pass before setting the download attribute:
/,\)Found during code review of PR #34.