0 Replies Latest reply on Apr 28, 2018 10:57 AM by shivampandya

    rich:fileUpload issue on redhat

    shivampandya

      I'm using rich:fileUpload in my application on redhat when I try to upload any file containing html code in file name i.e "file<img src=sam onerror=alert('poseidon')>Name.pdf", it gives me javascript alert before uploading the file. I tried it on live demo and found the same issue there as well. How can I restrict/escape execution of html/script or XSS in file name on redhat?

       

      You can try it yourself by following steps on redhat.

       

      • Create a file with name like: "file<script>.pdf"  for example: "file<img src=shivam onerror=alert(document.domain)>Name.pdf"
      • Access rich:fileUpload demo on richfaces showcase using below url.
      • Upload file and you will see a javascript alert.

       

      I want to filter that out to prevent javascript from getting executed.