XSS fix update

2026-02-06 11:42:13 +00:00 · 2023-12-01 15:40:32 +02:00 · 2023-12-01 15:40:32 +02:00 · f4aba673d4
commit f4aba673d4
parent 7c2c056642
2 changed files with 13 additions and 1 deletions
--- a/src/js/modules/file/save.js
+++ b/src/js/modules/file/save.js
@ -123,6 +123,7 @@ class File_save_class {
 		if (parts.length > 1)
 			file_name = parts[parts.length - 2];
 		file_name = file_name.replace(/ /g, "-");
+		file_name = this.Helper.escapeHtml(file_name);

 		var save_types = [];
 		for(var i in file_types) {
--- a/src/js/modules/layer/rename.js
+++ b/src/js/modules/layer/rename.js
@ -30,7 +30,7 @@ class Layer_rename_class {
 					new app.Actions.Bundle_action('rename_layer', 'Rename Layer', [
 						new app.Actions.Refresh_layers_gui_action('undo'),
 						new app.Actions.Update_layer_action(id || config.layer.id, {
-							name: params.name
+							name: _this.validate_name(params.name)
 						}),
 						new app.Actions.Refresh_layers_gui_action('do')
 					])
@ -39,6 +39,17 @@ class Layer_rename_class {
 		};
 		this.POP.show(settings);
 	}
+
+	validate_name(text) {
+		text = text
+			.replace(/&/g, "-")
+			.replace(/</g, "-")
+			.replace(/>/g, "-")
+			.replace(/"/g, "-")
+			.replace(/'/g, "-");
+
+		return text;
+	}
 }

 export default Layer_rename_class;