sanitize filename suggestion
This commit is contained in:
@@ -1,3 +1,12 @@
|
||||
const escapeHtmlUpload = (unsafe) => {
|
||||
return (unsafe || '').toString()
|
||||
.replace(/&/g, "&")
|
||||
.replace(/</g, "<")
|
||||
.replace(/>/g, ">")
|
||||
.replace(/"/g, """)
|
||||
.replace(/'/g, "'");
|
||||
};
|
||||
|
||||
window.initUploadForm = (selector) => {
|
||||
const form = (typeof selector === 'string') ? document.querySelector(selector) : selector;
|
||||
if (!form) return;
|
||||
@@ -740,7 +749,7 @@ window.initUploadForm = (selector) => {
|
||||
chip.className = 'tag-chip';
|
||||
chip.style.cursor = 'pointer';
|
||||
chip.title = 'Click to edit prefix or tag';
|
||||
chip.innerHTML = `<span class="tag-text">${tagName}</span><button type="button">×</button>`;
|
||||
chip.innerHTML = `<span class="tag-text">${escapeHtmlUpload(tagName)}</span><button type="button">×</button>`;
|
||||
|
||||
// Remove button logic
|
||||
chip.querySelector('button').addEventListener('click', (e) => {
|
||||
@@ -858,7 +867,7 @@ window.initUploadForm = (selector) => {
|
||||
const sug = document.createElement('div');
|
||||
sug.className = 'meta-suggestion';
|
||||
sug.setAttribute('data-text', text);
|
||||
sug.innerHTML = `<i class="fa fa-plus-circle" style="user-select:none"></i> <span>${text}</span>`;
|
||||
sug.innerHTML = `<i class="fa fa-plus-circle" style="user-select:none"></i> <span>${escapeHtmlUpload(text)}</span>`;
|
||||
|
||||
sug.addEventListener('mouseup', (ev) => {
|
||||
const sel = window.getSelection?.()?.toString().trim();
|
||||
@@ -967,7 +976,7 @@ window.initUploadForm = (selector) => {
|
||||
const scoreStr = typeof s.score === 'number' ? s.score.toFixed(2) : '0.00';
|
||||
html += `
|
||||
<div class="tag-suggestion-item">
|
||||
<span class="tag-suggestion-name">${s.tag}</span>
|
||||
<span class="tag-suggestion-name">${escapeHtmlUpload(s.tag)}</span>
|
||||
<span class="tag-suggestion-meta">${s.tagged || 0}× · ${scoreStr}</span>
|
||||
</div>
|
||||
`;
|
||||
|
||||
Reference in New Issue
Block a user