XSS vulnerability fixed. [ High Priority ]

[DrHazemAli]

Hi, There is an XSS vulnerability inside dropify.min.js allows client-side to perform JS actions when the image being uploaded in the preview inner because the filename itself can be renamed to an html or javascript code.

Example : (">< img src = x onerror=prompt(1) >.png)

Org: this.filenameWrapper.children(".dropify-filename-inner").html(this.file.name);

Fixes :

this.filenameWrapper.children(".dropify-filename-inner").html(cleanHTMLi(this.file.name));

I've written a function to perform HTML cleanup:

function cleanHTMLi(s) { return s.replace(/&/g, '&').replace(/</g, '<').replace(/"/g, '"'); }

Thanks,