I'm using rich:fileUpload in my application on linux when I try to upload any file containing html code in file name ie "file<img src=xyz onerror=alert('TEST')>Name.png"
, it gives me javascript alert before uploading the file. I tried it on live demo and found the same issue there as well. How can I restrict/escape execution of html/script or XSS in file name on linux?
You can try it yourself by following steps on linux.
Create a file with name "file<img src=xyz onerror=alert('TEST')>Name.png"
Access rich:fileUpload demo on richfaces showcase using below url. Upload file and you will see a javascript alert.
http://showcase.richfaces.org:8000/richfaces/component-sample.jsf?demo=fileUpload&skin=blueSky
I try to upload any file containing html code in file name ie "fileName.png".
You are saying html code in file name, but I don't see any html in "fileName.png".
If I'm not wrong file name should be something like file<img src=x onerror=alert('Javascript')>.pdf
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.