mirror of
				https://github.com/NodeBB/NodeBB.git
				synced 2025-10-26 16:46:12 +01:00 
			
		
		
		
	fix: improper neutralization of user input in image wrapping code
This commit is contained in:
		| @@ -26,8 +26,9 @@ define('forum/topic/images', [], function () { | |||||||
| 			const srcExt = src.split('.').slice(1).pop(); | 			const srcExt = src.split('.').slice(1).pop(); | ||||||
| 			const altFilename = alt.split('/').pop(); | 			const altFilename = alt.split('/').pop(); | ||||||
| 			const altExt = altFilename.split('.').slice(1).pop(); | 			const altExt = altFilename.split('.').slice(1).pop(); | ||||||
|  |  | ||||||
| 			imageEl.wrap('<a href="' + src + '" ' + | 			imageEl.wrap('<a href="' + src + '" ' + | ||||||
| 				(!srcExt && altExt ? ' download="' + altFilename + '" ' : '') + | 				(!srcExt && altExt ? ' download="' + utils.escapeHTML(altFilename) + '" ' : '') + | ||||||
| 				' target="_blank" rel="noopener">'); | 				' target="_blank" rel="noopener">'); | ||||||
| 		} | 		} | ||||||
| 	}; | 	}; | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user