sanitize filename suggestion

This commit is contained in:
2026-05-11 04:07:58 +02:00
parent bd0af82a02
commit 56f5975051

View File

@@ -1,3 +1,12 @@
const escapeHtmlUpload = (unsafe) => {
return (unsafe || '').toString()
.replace(/&/g, "&")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&#039;");
};
window.initUploadForm = (selector) => { window.initUploadForm = (selector) => {
const form = (typeof selector === 'string') ? document.querySelector(selector) : selector; const form = (typeof selector === 'string') ? document.querySelector(selector) : selector;
if (!form) return; if (!form) return;
@@ -740,7 +749,7 @@ window.initUploadForm = (selector) => {
chip.className = 'tag-chip'; chip.className = 'tag-chip';
chip.style.cursor = 'pointer'; chip.style.cursor = 'pointer';
chip.title = 'Click to edit prefix or tag'; chip.title = 'Click to edit prefix or tag';
chip.innerHTML = `<span class="tag-text">${tagName}</span><button type="button">&times;</button>`; chip.innerHTML = `<span class="tag-text">${escapeHtmlUpload(tagName)}</span><button type="button">&times;</button>`;
// Remove button logic // Remove button logic
chip.querySelector('button').addEventListener('click', (e) => { chip.querySelector('button').addEventListener('click', (e) => {
@@ -858,7 +867,7 @@ window.initUploadForm = (selector) => {
const sug = document.createElement('div'); const sug = document.createElement('div');
sug.className = 'meta-suggestion'; sug.className = 'meta-suggestion';
sug.setAttribute('data-text', text); sug.setAttribute('data-text', text);
sug.innerHTML = `<i class="fa fa-plus-circle" style="user-select:none"></i> <span>${text}</span>`; sug.innerHTML = `<i class="fa fa-plus-circle" style="user-select:none"></i> <span>${escapeHtmlUpload(text)}</span>`;
sug.addEventListener('mouseup', (ev) => { sug.addEventListener('mouseup', (ev) => {
const sel = window.getSelection?.()?.toString().trim(); const sel = window.getSelection?.()?.toString().trim();
@@ -967,7 +976,7 @@ window.initUploadForm = (selector) => {
const scoreStr = typeof s.score === 'number' ? s.score.toFixed(2) : '0.00'; const scoreStr = typeof s.score === 'number' ? s.score.toFixed(2) : '0.00';
html += ` html += `
<div class="tag-suggestion-item"> <div class="tag-suggestion-item">
<span class="tag-suggestion-name">${s.tag}</span> <span class="tag-suggestion-name">${escapeHtmlUpload(s.tag)}</span>
<span class="tag-suggestion-meta">${s.tagged || 0}× · ${scoreStr}</span> <span class="tag-suggestion-meta">${s.tagged || 0}× · ${scoreStr}</span>
</div> </div>
`; `;