From c3c474a5b70f9fb4bb368b5b58c623b1c9e2fc16 Mon Sep 17 00:00:00 2001
From: dvz <devilshakerz@gmail.com>
Date: Sat, 19 Nov 2022 20:03:36 +0100
Subject: [PATCH] Fix Attachment upload XSS

---
 inc/functions_upload.php         |  2 +-
 install/resources/mybb_theme.xml |  4 ++--
 jscripts/post.js                 | 11 +++++++++--
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/inc/functions_upload.php b/inc/functions_upload.php
index bbfcab78ee..ed27b2325d 100644
--- a/inc/functions_upload.php
+++ b/inc/functions_upload.php
@@ -823,7 +823,7 @@ function add_attachments($pid, $forumpermissions, $attachwhere, $action=false)
 						}
 						else if(isset($attachedfile['aid']) && $mybb->get_input('ajax', MyBB::INPUT_INT) == 1)
 						{
-							$ret['success'][] = array($attachedfile['aid'], get_attachment_icon(get_extension($filename)), $filename, get_friendly_size($FILE['size']));
+							$ret['success'][] = array($attachedfile['aid'], get_attachment_icon(get_extension($filename)), htmlspecialchars_uni($filename), get_friendly_size($FILE['size']));
 						}
 					}
 				}
diff --git a/install/resources/mybb_theme.xml b/install/resources/mybb_theme.xml
index e981364b81..7b11d78374 100644
--- a/install/resources/mybb_theme.xml
+++ b/install/resources/mybb_theme.xml
@@ -9606,7 +9606,7 @@ if(use_xmlhttprequest == "1")
 </table>
 </td>
 </tr>]]></template>
-		<template name="post_javascript" version="1827"><![CDATA[
+		<template name="post_javascript" version="1832"><![CDATA[
 			<script type="text/javascript">
 				lang.add_attachment = "{$lang->add_attachment}";
 				lang.update_attachment = "{$lang->update_attachment}";
@@ -9622,7 +9622,7 @@ if(use_xmlhttprequest == "1")
 				php_max_file_uploads = {$php_max_file_uploads};
 				mybb_max_file_uploads = {$mybb->settings['maxattachments']};
 			</script>
-			<script type="text/javascript" src="{$mybb->asset_url}/jscripts/post.js?ver=1827"></script>
+			<script type="text/javascript" src="{$mybb->asset_url}/jscripts/post.js?ver=1832"></script>
 			]]></template>
 		<template name="post_prefixselect_multiple" version="1800"><![CDATA[<select name="threadprefix[]" multiple="multiple" size="5">
 <option value="any"{$any_selected}>{$lang->any_prefix}</option>
diff --git a/jscripts/post.js b/jscripts/post.js
index fb003c0e77..1f184623f0 100644
--- a/jscripts/post.js
+++ b/jscripts/post.js
@@ -215,8 +215,15 @@ var Post = {
 		if (Post.fileInput.prop('files').length) {
 			var common = Post.getCommonFiles();
 			if (common.length) {
-				common = '<ul><li>' + common.join('</li><li>') + '</li></ul>';
-				MyBB.prompt(lang.update_confirm.replace("{1}", common), {
+				var list = document.createElement('ul');
+
+				$.map(common, function (val) {
+					var e = document.createElement('li');
+					e.textContent = val;
+					list.append(e);
+				});
+
+				MyBB.prompt(lang.update_confirm.replace("{1}", list.outerHTML), {
 					buttons: [
 						{ title: yes_confirm, value: true },
 						{ title: no_confirm, value: false }