Merge pull request #2709 from basecamp/fix-html-injecton-through-import-filenames
Prevent HTML injection through filenames
This commit is contained in:
@@ -15,7 +15,7 @@ export default class extends Controller {
|
||||
}
|
||||
|
||||
#showFileName() {
|
||||
this.fileNameTarget.innerHTML = this.#file.name
|
||||
this.fileNameTarget.innerText = this.#file.name
|
||||
this.fileNameTarget.removeAttribute("hidden")
|
||||
this.placeholderTarget.setAttribute("hidden", true)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user