From 8f6fca94fa4ac356e56be7260a3fc5e824be2c60 Mon Sep 17 00:00:00 2001 From: "Stanko K.R." Date: Mon, 16 Mar 2026 17:50:31 +0100 Subject: [PATCH] Prevent HTML injection through filenames --- app/javascript/controllers/upload_preview_controller.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/javascript/controllers/upload_preview_controller.js b/app/javascript/controllers/upload_preview_controller.js index d7b0bd478..7e25d50a3 100644 --- a/app/javascript/controllers/upload_preview_controller.js +++ b/app/javascript/controllers/upload_preview_controller.js @@ -15,7 +15,7 @@ export default class extends Controller { } #showFileName() { - this.fileNameTarget.innerHTML = this.#file.name + this.fileNameTarget.innerText = this.#file.name this.fileNameTarget.removeAttribute("hidden") this.placeholderTarget.setAttribute("hidden", true) }