XWIKI-19611: Improve filename escaping in attachment upload

pjeanjean · michitux · commit 9df46f8e5313 · 2024-01-24T15:31:35.000+01:00
* Use escapeHTML() when displaying filenames in upload.js * Add a test in AttachmentIT to check for proper HTML escaping during upload (cherry picked from commit 910a501)
diff --git a/xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-test/xwiki-platform-flamingo-skin-test-docker/src/test/it/org/xwiki/flamingo/test/docker/AttachmentIT.java b/xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-test/xwiki-platform-flamingo-skin-test-docker/src/test/it/org/xwiki/flamingo/test/docker/AttachmentIT.java
@@ -65,6 +65,8 @@ class AttachmentIT
 
     private static final String SECOND_ATTACHMENT = "SmallAttachment2.txt";
 
+    private static final String ESCAPED_ATTACHMENT = "<strong>EscapedAttachment.txt";
+
     private static final String IMAGE_ATTACHMENT = "image.gif";
 
     private static final String SMALL_SIZE_ATTACHMENT = "SmallSizeAttachment.png";
@@ -446,6 +448,23 @@ void deleteAttachmentWithSpecialChar(TestUtils setup, TestReference testReferenc
                 basePage.getXWikiMessageContent());
     }
 
+    @Test
+    @Order(9)
+    void checkEscapingInAttachmentName(TestUtils setup, TestReference testReference,
+        TestConfiguration testConfiguration)
+    {
+        setup.loginAsSuperAdmin();
+        setup.createPage(testReference, "Empty content");
+        AttachmentsPane attachmentsPane = new AttachmentsViewPage().openAttachmentsDocExtraPane();
+
+        attachmentsPane.setFileToUpload(getFileToUpload(testConfiguration, ESCAPED_ATTACHMENT).getAbsolutePath());
+        attachmentsPane.waitForUploadToFinish(ESCAPED_ATTACHMENT);
+        attachmentsPane.clickHideProgress();
+
+        assertTrue(attachmentsPane.attachmentExistsByFileName(ESCAPED_ATTACHMENT));
+        attachmentsPane.deleteAttachmentByFileByName(ESCAPED_ATTACHMENT);
+    }
+
     private String getAttachmentsMacroContent(DocumentReference docRef)
     {
         StringBuilder sb = new StringBuilder();
diff --git a/xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-test/xwiki-platform-flamingo-skin-test-docker/src/test/resources/AttachmentIT/<strong>EscapedAttachment.txt b/xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-test/xwiki-platform-flamingo-skin-test-docker/src/test/resources/AttachmentIT/<strong>EscapedAttachment.txt
@@ -0,0 +1 @@
+This is an attachment whose name should be escaped.
diff --git a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-war/src/main/webapp/resources/uicomponents/widgets/upload.js b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-war/src/main/webapp/resources/uicomponents/widgets/upload.js
@@ -124,7 +124,7 @@ var XWiki = (function(XWiki) {
 
       if (this.options.enableFileInfo) {
         statusUI.FILE_INFO   = UploadUtils.createDiv('file-info');
-        (statusUI.FILE_NAME  = UploadUtils.createSpan('file-name', this.file.name)).title = this.file.type;
+        (statusUI.FILE_NAME  = UploadUtils.createSpan('file-name', this.file.name.escapeHTML())).title = this.file.type;
         statusUI.FILE_SIZE   = UploadUtils.createSpan('file-size', ' (' + UploadUtils.bytesToSize(this.file.size) + ')');
         statusUI.FILE_CANCEL = UploadUtils.createButton("$services.localization.render('core.widgets.html5upload.item.cancel')", this.cancelUpload.bindAsEventListener(this));
         // TODO MIME type icon?
@@ -295,7 +295,7 @@ var XWiki = (function(XWiki) {
         this.statusUI.FILE_CANCEL.addClassName('hidden');
       }
       this.formData.input.fire('xwiki:html5upload:message', {content: 'UPLOAD_FINISHING', type: 'inprogress', source: this,
-        parameters : {name : this.file.name}
+        parameters : {name : this.file.name.escapeHTML()}
       });
     },
 
@@ -324,7 +324,7 @@ var XWiki = (function(XWiki) {
         }
       }
       this.formData.input.fire('xwiki:html5upload:message', {content: 'UPLOAD_FINISHED', type: 'done', source: this,
-        parameters : {name : this.file.name, size : UploadUtils.bytesToSize(this.file.size)}
+        parameters : {name : this.file.name.escapeHTML(), size : UploadUtils.bytesToSize(this.file.size)}
       });
       this.formData.input.fire('xwiki:html5upload:fileFinished', {source: this});
       clearInterval(this.timer);
@@ -354,7 +354,8 @@ var XWiki = (function(XWiki) {
      */
     abnormalUploadFinish : function (message) {
       clearInterval(this.timer);
-      this.formData.input.fire('xwiki:html5upload:message', {content: message, type: 'error', source: this, parameters : {name : this.file.name}});
+      this.formData.input.fire('xwiki:html5upload:message', {content: message, type: 'error', source: this, parameters :
+       {name : this.file.name.escapeHTML()}});
       this.formData.input.fire('xwiki:html5upload:fileFinished', {source: this});
     }
   });
@@ -517,7 +518,7 @@ var XWiki = (function(XWiki) {
           }
         } catch (ex) {
           this.showMessage(ex, 'error', {size : UploadUtils.bytesToSize(this.options && this.options.maxFilesize),
-                                         name : file.name, type: file.type
+                                         name : file.name.escapeHTML(), type: file.type
           });
         }
       }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+This is an attachment whose name should be escaped.`