mirror of
				https://github.com/NodeBB/NodeBB.git
				synced 2025-10-26 16:46:12 +01:00 
			
		
		
		
	fix: improper neutralization of user input in image wrapping code
This commit is contained in:
		| @@ -26,8 +26,9 @@ define('forum/topic/images', [], function () { | ||||
| 			const srcExt = src.split('.').slice(1).pop(); | ||||
| 			const altFilename = alt.split('/').pop(); | ||||
| 			const altExt = altFilename.split('.').slice(1).pop(); | ||||
|  | ||||
| 			imageEl.wrap('<a href="' + src + '" ' + | ||||
| 				(!srcExt && altExt ? ' download="' + altFilename + '" ' : '') + | ||||
| 				(!srcExt && altExt ? ' download="' + utils.escapeHTML(altFilename) + '" ' : '') + | ||||
| 				' target="_blank" rel="noopener">'); | ||||
| 		} | ||||
| 	}; | ||||
|   | ||||
		Reference in New Issue
	
	Block a user