diff --git a/bbb-common-web/src/main/java/org/bigbluebutton/api/util/ParamsUtil.java b/bbb-common-web/src/main/java/org/bigbluebutton/api/util/ParamsUtil.java
index 6e6697ad23..3f5c07aad6 100755
--- a/bbb-common-web/src/main/java/org/bigbluebutton/api/util/ParamsUtil.java
+++ b/bbb-common-web/src/main/java/org/bigbluebutton/api/util/ParamsUtil.java
@@ -21,6 +21,10 @@ public class ParamsUtil {
return text.replaceAll("\\p{Cc}", "").trim();
}
+ public static String stripTags(String text) {
+ return text.replaceAll("<[^>]*>", "");
+}
+
public static String escapeHTMLTags(String value) {
return StringEscapeUtils.escapeHtml4(value);
}
diff --git a/bigbluebutton-html5/imports/ui/components/chat/service.js b/bigbluebutton-html5/imports/ui/components/chat/service.js
index 1d4ed6660f..171fb80525 100755
--- a/bigbluebutton-html5/imports/ui/components/chat/service.js
+++ b/bigbluebutton-html5/imports/ui/components/chat/service.js
@@ -345,13 +345,14 @@ const removePackagedClassAttribute = (classnames, attribute) => {
};
const getExportedPresentationString = (fileURI, filename, intl, fileStateType) => {
+ const sanitizedFilename = stripTags(filename);
const intlFileStateType = fileStateType === 'Original' ? intlMessages.original : intlMessages.withWhiteboardAnnotations;
const href = `${APP.bbbWebBase}/${fileURI}`;
const warningIcon = '';
const label = `${intl.formatMessage(intlMessages.download)}`;
const notAccessibleWarning = `${warningIcon}`;
const link = `${label} ${notAccessibleWarning}`;
- const name = `${filename} (${intl.formatMessage(intlFileStateType)})`;
+ const name = `${sanitizedFilename} (${intl.formatMessage(intlFileStateType)})`;
return `${name}${link}`;
};
diff --git a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy
index e87b34c5f2..5d5d50f251 100755
--- a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy
+++ b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy
@@ -30,6 +30,7 @@ import org.apache.commons.io.FilenameUtils;
import org.bigbluebutton.web.services.PresentationService
import org.bigbluebutton.presentation.UploadedPresentation
import org.bigbluebutton.api.MeetingService;
+import org.bigbluebutton.api.util.ParamsUtil;
import org.bigbluebutton.api.Util;
class PresentationController {
@@ -161,6 +162,7 @@ class PresentationController {
// Gets the name minus the path from a full fileName.
// a/b/c.txt --> c.txt
presFilename = FilenameUtils.getName(presOrigFilename)
+ presFilename = ParamsUtil.stripTags(presFilename)
filenameExt = FilenameUtils.getExtension(presFilename)
} else {
log.warn "Upload failed. File Empty."