3.1.4 release with security fixes

moxiecode · Nov 15, 2021 · 42c00e7 · 42c00e7
1 parent c65c9b2
commit 42c00e7
Show file tree

Hide file tree

Showing 8 changed files with 12 additions and 11 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1 @@
+Tiny values the work of security researchers in improving the security of technology products worldwide. We welcome researchers who wish to responsibly disclose vulnerabilities in our products or systems. Note that we do not offer any “bug bounty” program or any form of payment for disclosed vulnerabilities. If you would like to report a vulnerability, please email infosec@tiny.cloud.
diff --git a/js/jquery.plupload.queue/jquery.plupload.queue.js b/js/jquery.plupload.queue/jquery.plupload.queue.js
@@ -301,7 +301,7 @@ used as it is.
 
 									// Rename file and glue extension back on
 									file.name = targetInput.val() + ext;
-									targetSpan.html(file.name);
+									targetSpan.text(file.name);
 									targetInput.blur();
 								}
 							});

diff --git a/js/jquery.plupload.queue/jquery.plupload.queue.min.js b/js/jquery.plupload.queue/jquery.plupload.queue.min.js
diff --git a/js/jquery.ui.plupload/jquery.ui.plupload.js b/js/jquery.ui.plupload/jquery.ui.plupload.js
@@ -489,7 +489,7 @@ $.widget("ui.plupload", {
 					break;
 			}
 
-			message += " <br /><i>" + details + "</i>";
+			message += " <br /><i>" + plupload.xmlEncode(details) + "</i>";
 
 			self._trigger('error', null, { up: up, error: err } );
 
@@ -1305,7 +1305,7 @@ $.widget("ui.plupload", {
 					// Rename file and glue extension back on
 					if (e.keyCode === 13) {
 						file.name = nameInput.val() + ext;
-						nameSpan.html(file.name);
+						nameSpan.text(file.name);
 					}
 					nameInput.blur();
 				}

diff --git a/js/jquery.ui.plupload/jquery.ui.plupload.min.js b/js/jquery.ui.plupload/jquery.ui.plupload.min.js
diff --git a/package.json b/package.json
@@ -1,8 +1,8 @@
 {
     "name": "plupload",
     "description": "Plupload is a JavaScript API for dealing with file uploads it supports features like multiple file selection, file type filtering, request chunking, client side image scaling and it uses different runtimes to achieve this such as HTML 5, Silverlight and Flash.",
-    "version": "3.1.3",
-    "releaseDate": "2021-03-29",
+    "version": "3.1.4",
+    "releaseDate": "2021-11-15",
     "author": "Ephox",
     "contributors": [{
         "name": "Davit Barbakadze",

diff --git a/src/jquery.plupload.queue/jquery.plupload.queue.js b/src/jquery.plupload.queue/jquery.plupload.queue.js
@@ -223,7 +223,7 @@ used as it is.
 
 						fileList.append(
 							'<li id="' + file.id + '">' +
-								'<div class="plupload_file_name"><span>' + file.name + '</span></div>' +
+								'<div class="plupload_file_name"><span>' + plupload.xmlEncode(file.name) + '</span></div>' +
 								'<div class="plupload_file_action"><a href="#"></a></div>' +
 								'<div class="plupload_file_status">' + file.percent + '%</div>' +
 								'<div class="plupload_file_size">' + plupload.formatSize(file.size) + '</div>' +
@@ -301,7 +301,7 @@ used as it is.
 
 									// Rename file and glue extension back on
 									file.name = targetInput.val() + ext;
-									targetSpan.html(file.name);
+									targetSpan.text(file.name);
 									targetInput.blur();
 								}
 							});

diff --git a/src/jquery.ui.plupload/jquery.ui.plupload.js b/src/jquery.ui.plupload/jquery.ui.plupload.js
@@ -489,7 +489,7 @@ $.widget("ui.plupload", {
 					break;
 			}
 
-			message += " <br /><i>" + details + "</i>";
+			message += " <br /><i>" + plupload.xmlEncode(details) + "</i>";
 
 			self._trigger('error', null, { up: up, error: err } );
 
@@ -1305,7 +1305,7 @@ $.widget("ui.plupload", {
 					// Rename file and glue extension back on
 					if (e.keyCode === 13) {
 						file.name = nameInput.val() + ext;
-						nameSpan.html(file.name);
+						nameSpan.text(file.name);
 					}
 					nameInput.blur();
 				}