From e32ef3685fda2173a3e4e4feae030ce5f42bab6f Mon Sep 17 00:00:00 2001
From: Luc Didry <luc@didry.org>
Date: Tue, 2 Nov 2021 14:50:23 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20Fix=20XSS=20where=20using=20zip?=
 =?UTF-8?q?=20feature=20(#254)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CHANGELOG                             | 1 +
 themes/default/public/js/lufi-down.js | 4 ++--
 themes/default/public/js/lufi-up.js   | 4 ++--
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 1978847..b712577 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,6 +4,7 @@ Revision history for Lufi
 	- 🐛 Fix mail signature separator
 	- 💄 Disable signature when using LDAP (#249)
 	- 🌐 Update translations
+	- 🔒 Fix XSS where using zip feature (#254)
 
 0.05.14 2021-06-16
 	- 🔧 Set default morbo port to 3000 (as it should have stay)
diff --git a/themes/default/public/js/lufi-down.js b/themes/default/public/js/lufi-down.js
index b117adf..ee1f666 100644
--- a/themes/default/public/js/lufi-down.js
+++ b/themes/default/public/js/lufi-down.js
@@ -145,9 +145,9 @@ function spawnWebsocket(pa) {
                                 zip.forEach(function (relativePath, zipEntry) {
                                     innerHTML.push(
                                         '<li>',
-                                            zipEntry.name,
+                                            escapeHtml(zipEntry.name),
                                             ' (', filesize(zipEntry._data.uncompressedSize, {base: 10}), ') ',
-                                            '<a href="#" download="', zipEntry.name, '" class="download-zip-content" title="', i18n.download, '">',
+                                            '<a href="#" download="', escapeHtml(zipEntry.name), '" class="download-zip-content" title="', i18n.download, '">',
                                                 '<i class="mdi-file-file-download"></i>',
                                             '</a>',
                                         '</li>'
diff --git a/themes/default/public/js/lufi-up.js b/themes/default/public/js/lufi-up.js
index 8776fde..2b7ef68 100644
--- a/themes/default/public/js/lufi-up.js
+++ b/themes/default/public/js/lufi-up.js
@@ -102,7 +102,7 @@ function firstViewClicking() {
 }
 
 // When clicking on zip checkbox
-function zipClicking () {
+function zipClicking() {
     if ($('#zip-files').attr('data-checked') && $('#zip-files').attr('data-checked') === 'data-checked') {
         window.zipSize = 0;
         window.zip = null;
@@ -249,7 +249,7 @@ function handleFiles(f) {
             $('#zip-size').text(filesize(window.zipSize));
             $('#zip-parts').append([
                 '<li>',
-                    '— ', filename, ' (', filesize(element.size), ')',
+                    '— ', escapeHtml(filename), ' (', filesize(element.size), ')',
                 '</li>'
             ].join(''));
         }