Merge pull request #631 from shirishupadhyay/release/1.2.0

Release/1.2.0
yogeshojha · May 14, 2022 · aca1a0b · aca1a0b
2 parents a4d1df4 + 213bcee
commit aca1a0b
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -7,7 +7,7 @@ Thank you for your interest in reporting vulnerabilities to reNgine! If you are
 
 **Please do not disclose any vulnerabilities via Github Issues/Blogs/Tweets after/before reporting on huntr.dev as it is explicitly against huntr.dev and reNgine disclosure policy and will not be eligible for monetary rewards.**
 
-Please note that the maintainer of reNgine does not determine the bounty amount. 
+Please note that the maintainer of reNgine does not determine the bounty amount.
 The bounty reward is determined by industry-first equation from huntr.dev to understand the popularity, impact and value of repositories to the open source community.
 
 **What do we expect from security researchers?**
@@ -32,6 +32,8 @@ Please find the [FAQ](https://www.huntr.dev/faq) and [Responsible disclosure pol
 
 * Several Instances of XSS in reNgine 1.0 (#460, #459, #458, #457, #456, #455), Reported by [Binit Ghimire](https://github.com/TheBinitGhimire)
 
+* [Stored XSS](https://huntr.dev/bounties/dfd440ba-4330-413c-8b21-a3d8bf02a67e/) on Import Targets via filename, Reported by [Veeshraj Ghimire](https://github.com/V35HR4J)
+
 **reNgine thanks the following people for making a responsible disclosure and helping the community make reNgine safer!**
 
 * [onemishra](https://github.com/omemishra)

diff --git a/web/targetApp/templates/target/add.html b/web/targetApp/templates/target/add.html
@@ -325,7 +325,7 @@ <h6 id="selectedCsvFileName" class="text-primary"></h6>
   });
 
   function showname (file, id) {
-    $(id).html('Selected file: ' + file.files.item(0).name);
+    $(id).html('Selected file: ' + htmlEncode(file.files.item(0).name));
   };
 
   function show_whois(){