security issue fixed

munafio · Aug 18, 2021 · 476d846 · 476d846
1 parent 4d6bbff
commit 476d846
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+## v1.2.5 (2021-08-18)
+
+### Fixed
+
+- Fixed a security issue on uploaded file-name, which is vulnerable with XSS.
+
 ## v1.2.4 (2021-07-15)
 
 ### Fixed

diff --git a/src/ChatifyMessenger.php b/src/ChatifyMessenger.php
@@ -105,7 +105,7 @@ public function fetchMessage($id){
         if(isset($msg->attachment)){
             $attachmentOBJ = json_decode($msg->attachment);
             $attachment = $attachmentOBJ->new_name;
-            $attachment_title = $attachmentOBJ->old_name;
+            $attachment_title = htmlentities(trim($attachmentOBJ->old_name), ENT_QUOTES, 'UTF-8');
 
             $ext = pathinfo($attachment, PATHINFO_EXTENSION);
             $attachment_type = in_array($ext,$this->getAllowedImages()) ? 'image' : 'file';

diff --git a/src/Http/Controllers/MessagesController.php b/src/Http/Controllers/MessagesController.php
@@ -160,7 +160,7 @@ public function send(Request $request)
                 'body' => htmlentities(trim($request['message']), ENT_QUOTES, 'UTF-8'),
                 'attachment' => ($attachment) ? json_encode((object)[
                     'new_name' => $attachment,
-                    'old_name' => $attachment_title,
+                    'old_name' => htmlentities(trim($attachment_title), ENT_QUOTES, 'UTF-8'),
                 ]) : null,
             ]);
 

diff --git a/src/assets/js/code.js b/src/assets/js/code.js
@@ -19,6 +19,12 @@ const messagesContainer = $(".messenger-messagingView .m-body"),
   access_token = $('meta[name="csrf-token"]').attr("content");
 // console.log(auth_id);
 
+const escapeHtml = (unsafe) => {
+  return unsafe
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;");
+};
 /**
  *-------------------------------------------------------------
  * Global Templates
@@ -110,7 +116,7 @@ function attachmentTemplate(fileType, fileName, imgURL = null) {
      <div class="attachment-preview">
          <span class="fas fa-times cancel"></span>
          <p style="padding:0px 30px;"><span class="fas fa-file"></span> ` +
-      fileName +
+      escapeHtml(fileName) +
       `</p>
      </div>
      `
@@ -124,7 +130,7 @@ function attachmentTemplate(fileType, fileName, imgURL = null) {
       imgURL +
       `');"></div>
          <p><span class="fas fa-file-image"></span> ` +
-      fileName +
+      escapeHtml(fileName) +
       `</p>
      </div>
      `