JeremyFagis / dropify

Override your input files with style — Demo here : http://jeremyfagis.github.io/dropify
MIT License
972 stars 398 forks source link

XSS vulnerability [ Fixes inside ] #65

Open DrHazemAli opened 7 years ago

DrHazemAli commented 7 years ago

Hi, There is an XSS vulnerability inside dropify.min.js allows client-side to perform JS actions when the image being uploaded in the preview inner because the filename itself can be renamed to an html or javascript code.

Example : (">< img src = x onerror=prompt(1) >.png)

Org: this.filenameWrapper.children(".dropify-filename-inner").html(this.file.name);

Fixes :

this.filenameWrapper.children(".dropify-filename-inner").html(cleanHTMLi(this.file.name));

I've written a function to perform HTML cleanup:

function cleanHTMLi(s) { return s.replace(/&/g, '&').replace(/</g, '<').replace(/"/g, '"'); }

Thanks,