XML/HTML partials are valid in file names, however our version of CloudCmd does not handle them gracefully; they can break the frontend completely. The naive fix is to simply reject these file names at the frontend.
Consider the following cases:
<a href='https://www.google.com' />
<script>window.alert('hacked');</script>
<script>window.alert("hacked");</script>
I do not love this solution because it rejects file names that are valid as far as the file system is concerned. With that said, this solution is acceptable given that we are talking about replacing this application in the near to mid-term.
XML/HTML partials are valid in file names, however our version of CloudCmd does not handle them gracefully; they can break the frontend completely. The naive fix is to simply reject these file names at the frontend.
Consider the following cases:
<a href='https://www.google.com' /><script>window.alert('hacked');</script><script>window.alert("hacked");</script>I do not love this solution because it rejects file names that are valid as far as the file system is concerned. With that said, this solution is acceptable given that we are talking about replacing this application in the near to mid-term.
Fixes #198.