fix(sec): filter tags in presentation name
This commit is contained in:
parent
45585215cc
commit
f50e10b5ea
@ -21,6 +21,10 @@ public class ParamsUtil {
|
|||||||
return text.replaceAll("\\p{Cc}", "").trim();
|
return text.replaceAll("\\p{Cc}", "").trim();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static String stripTags(String text) {
|
||||||
|
return text.replaceAll("<[^>]*>", "");
|
||||||
|
}
|
||||||
|
|
||||||
public static String escapeHTMLTags(String value) {
|
public static String escapeHTMLTags(String value) {
|
||||||
return StringEscapeUtils.escapeHtml4(value);
|
return StringEscapeUtils.escapeHtml4(value);
|
||||||
}
|
}
|
||||||
|
@ -345,13 +345,14 @@ const removePackagedClassAttribute = (classnames, attribute) => {
|
|||||||
};
|
};
|
||||||
|
|
||||||
const getExportedPresentationString = (fileURI, filename, intl, fileStateType) => {
|
const getExportedPresentationString = (fileURI, filename, intl, fileStateType) => {
|
||||||
|
const sanitizedFilename = stripTags(filename);
|
||||||
const intlFileStateType = fileStateType === 'Original' ? intlMessages.original : intlMessages.withWhiteboardAnnotations;
|
const intlFileStateType = fileStateType === 'Original' ? intlMessages.original : intlMessages.withWhiteboardAnnotations;
|
||||||
const href = `${APP.bbbWebBase}/${fileURI}`;
|
const href = `${APP.bbbWebBase}/${fileURI}`;
|
||||||
const warningIcon = '<i class="icon-bbb-warning"></i>';
|
const warningIcon = '<i class="icon-bbb-warning"></i>';
|
||||||
const label = `<span>${intl.formatMessage(intlMessages.download)}</span>`;
|
const label = `<span>${intl.formatMessage(intlMessages.download)}</span>`;
|
||||||
const notAccessibleWarning = `<span title="${intl.formatMessage(intlMessages.notAccessibleWarning)}">${warningIcon}</span>`;
|
const notAccessibleWarning = `<span title="${intl.formatMessage(intlMessages.notAccessibleWarning)}">${warningIcon}</span>`;
|
||||||
const link = `<a aria-label="${intl.formatMessage(intlMessages.notAccessibleWarning)}" href=${href} type="application/pdf" target="_blank" rel="noopener, noreferrer" download>${label} ${notAccessibleWarning}</a>`;
|
const link = `<a aria-label="${intl.formatMessage(intlMessages.notAccessibleWarning)}" href=${href} type="application/pdf" target="_blank" rel="noopener, noreferrer" download>${label} ${notAccessibleWarning}</a>`;
|
||||||
const name = `<span>${filename} (${intl.formatMessage(intlFileStateType)})</span>`;
|
const name = `<span>${sanitizedFilename} (${intl.formatMessage(intlFileStateType)})</span>`;
|
||||||
return `${name}</br>${link}`;
|
return `${name}</br>${link}`;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -30,6 +30,7 @@ import org.apache.commons.io.FilenameUtils;
|
|||||||
import org.bigbluebutton.web.services.PresentationService
|
import org.bigbluebutton.web.services.PresentationService
|
||||||
import org.bigbluebutton.presentation.UploadedPresentation
|
import org.bigbluebutton.presentation.UploadedPresentation
|
||||||
import org.bigbluebutton.api.MeetingService;
|
import org.bigbluebutton.api.MeetingService;
|
||||||
|
import org.bigbluebutton.api.util.ParamsUtil;
|
||||||
import org.bigbluebutton.api.Util;
|
import org.bigbluebutton.api.Util;
|
||||||
|
|
||||||
class PresentationController {
|
class PresentationController {
|
||||||
@ -161,6 +162,7 @@ class PresentationController {
|
|||||||
// Gets the name minus the path from a full fileName.
|
// Gets the name minus the path from a full fileName.
|
||||||
// a/b/c.txt --> c.txt
|
// a/b/c.txt --> c.txt
|
||||||
presFilename = FilenameUtils.getName(presOrigFilename)
|
presFilename = FilenameUtils.getName(presOrigFilename)
|
||||||
|
presFilename = ParamsUtil.stripTags(presFilename)
|
||||||
filenameExt = FilenameUtils.getExtension(presFilename)
|
filenameExt = FilenameUtils.getExtension(presFilename)
|
||||||
} else {
|
} else {
|
||||||
log.warn "Upload failed. File Empty."
|
log.warn "Upload failed. File Empty."
|
||||||
|
Loading…
Reference in New Issue
Block a user