Merge pull request #2709 from basecamp/fix-html-injecton-through-import-filenames

Prevent HTML injection through filenames
This commit is contained in:
Stanko Krtalić
2026-03-16 17:57:38 +01:00
committed by GitHub
@@ -15,7 +15,7 @@ export default class extends Controller {
}
#showFileName() {
this.fileNameTarget.innerHTML = this.#file.name
this.fileNameTarget.innerText = this.#file.name
this.fileNameTarget.removeAttribute("hidden")
this.placeholderTarget.setAttribute("hidden", true)
}