From 476d846267be9a1743482548833a92c1f75fe2a1 Mon Sep 17 00:00:00 2001
From: munafio <munafaqeelmahdi@gmail.com>
Date: Wed, 18 Aug 2021 13:36:34 +0300
Subject: [PATCH] security issue fixed

---
 CHANGELOG.md                                |  6 ++++++
 src/ChatifyMessenger.php                    |  2 +-
 src/Http/Controllers/MessagesController.php |  2 +-
 src/assets/js/code.js                       | 10 ++++++++--
 4 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 562e027..e62f4d2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+## v1.2.5 (2021-08-18)
+
+### Fixed
+
+- Fixed a security issue on uploaded file-name, which is vulnerable with XSS.
+
 ## v1.2.4 (2021-07-15)
 
 ### Fixed
diff --git a/src/ChatifyMessenger.php b/src/ChatifyMessenger.php
index baeda57..a911826 100644
--- a/src/ChatifyMessenger.php
+++ b/src/ChatifyMessenger.php
@@ -105,7 +105,7 @@ public function fetchMessage($id){
         if(isset($msg->attachment)){
             $attachmentOBJ = json_decode($msg->attachment);
             $attachment = $attachmentOBJ->new_name;
-            $attachment_title = $attachmentOBJ->old_name;
+            $attachment_title = htmlentities(trim($attachmentOBJ->old_name), ENT_QUOTES, 'UTF-8');
 
             $ext = pathinfo($attachment, PATHINFO_EXTENSION);
             $attachment_type = in_array($ext,$this->getAllowedImages()) ? 'image' : 'file';
diff --git a/src/Http/Controllers/MessagesController.php b/src/Http/Controllers/MessagesController.php
index 7083216..d180e8e 100644
--- a/src/Http/Controllers/MessagesController.php
+++ b/src/Http/Controllers/MessagesController.php
@@ -160,7 +160,7 @@ public function send(Request $request)
                 'body' => htmlentities(trim($request['message']), ENT_QUOTES, 'UTF-8'),
                 'attachment' => ($attachment) ? json_encode((object)[
                     'new_name' => $attachment,
-                    'old_name' => $attachment_title,
+                    'old_name' => htmlentities(trim($attachment_title), ENT_QUOTES, 'UTF-8'),
                 ]) : null,
             ]);
 
diff --git a/src/assets/js/code.js b/src/assets/js/code.js
index 55af954..d386c51 100644
--- a/src/assets/js/code.js
+++ b/src/assets/js/code.js
@@ -19,6 +19,12 @@ const messagesContainer = $(".messenger-messagingView .m-body"),
   access_token = $('meta[name="csrf-token"]').attr("content");
 // console.log(auth_id);
 
+const escapeHtml = (unsafe) => {
+  return unsafe
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;");
+};
 /**
  *-------------------------------------------------------------
  * Global Templates
@@ -110,7 +116,7 @@ function attachmentTemplate(fileType, fileName, imgURL = null) {
      <div class="attachment-preview">
          <span class="fas fa-times cancel"></span>
          <p style="padding:0px 30px;"><span class="fas fa-file"></span> ` +
-      fileName +
+      escapeHtml(fileName) +
       `</p>
      </div>
      `
@@ -124,7 +130,7 @@ function attachmentTemplate(fileType, fileName, imgURL = null) {
       imgURL +
       `');"></div>
          <p><span class="fas fa-file-image"></span> ` +
-      fileName +
+      escapeHtml(fileName) +
       `</p>
      </div>
      `