diff --git a/public/s/js/upload.js b/public/s/js/upload.js index 978ba8b..bb26c1f 100644 --- a/public/s/js/upload.js +++ b/public/s/js/upload.js @@ -1,3 +1,12 @@ +const escapeHtmlUpload = (unsafe) => { + return (unsafe || '').toString() + .replace(/&/g, "&") + .replace(//g, ">") + .replace(/"/g, """) + .replace(/'/g, "'"); +}; + window.initUploadForm = (selector) => { const form = (typeof selector === 'string') ? document.querySelector(selector) : selector; if (!form) return; @@ -740,7 +749,7 @@ window.initUploadForm = (selector) => { chip.className = 'tag-chip'; chip.style.cursor = 'pointer'; chip.title = 'Click to edit prefix or tag'; - chip.innerHTML = `${tagName}`; + chip.innerHTML = `${escapeHtmlUpload(tagName)}`; // Remove button logic chip.querySelector('button').addEventListener('click', (e) => { @@ -858,7 +867,7 @@ window.initUploadForm = (selector) => { const sug = document.createElement('div'); sug.className = 'meta-suggestion'; sug.setAttribute('data-text', text); - sug.innerHTML = ` ${text}`; + sug.innerHTML = ` ${escapeHtmlUpload(text)}`; sug.addEventListener('mouseup', (ev) => { const sel = window.getSelection?.()?.toString().trim(); @@ -967,7 +976,7 @@ window.initUploadForm = (selector) => { const scoreStr = typeof s.score === 'number' ? s.score.toFixed(2) : '0.00'; html += `