fix security issue #1337

website/templates/report.html

@@ -356,17 +356,17 @@ <h2 class="text-2xl font-semibold leading-7 text-gray-900">
     const screenshots = document.getElementById('screenshots');
     let manage_div = document.getElementById("files_manage");
 
+    function escapeHtml(str) {return str.replace(/[&<>"'/]/g, function (s) {var entityMap = {"&": "&amp;","<": "&lt;",">": "&gt;",'"': '&quot;',"'": '&#39;',"/": '&#x2F;'};return entityMap[s];});}
     function previewFile(file_name) {
         event.preventDefault();
-        if (!screenshots || !(screenshots instanceof HTMLInputElement) || !screenshots.files || !screenshots.files.length) return;
         Array.from(screenshots.files).map(file => {
-            if (file.name === file_name && file.type.startsWith('image/')) {
-                let src = URL.createObjectURL(file);                
-                // Set the src attribute for the image preview
-                $("#image-preview").attr("src", src).on('load', function() {
-                    URL.revokeObjectURL(src);  // Revoke the blob URL after it's used
-                });
-                $("#image-preview-wrapper").css("display", "flex");
+            if (file.name === file_name) {
+                let src = URL.createObjectURL(file);
+                if (src.startsWith('blob:')) {
+                    let escapedSrc = escapeHtml(src);
+                    $("#image-preview").attr("src", escapedSrc);
+                    $("#image-preview-wrapper").show();
+                }else {$("#image-preview-wrapper").hide();}
             }
         });
     }