Cross-Site Scripting during File Upload (Self-XSS)

[l4rm4nd]

Hi all,

uploading files with potentially harmful HTML or JavaScript characters allows for XSS.

Example file name: Sun'><img src=x onerror=alert('filerun')>set.jpg

I tested the issue on the official demo site and assume that the docker instance is also susceptible. The issue is a so called self-XSS. So likelihood of exploitation is low and potentially no impact for other users, since the file upload process cannot be finished due to improper file name syntax. Nonetheless, input validation should occur to mitigate this issue.

[filerun]

Hi! Interesting find! Will fix, thank you!