From 438ea6ccb06f39d7cbb4b6ee7ad44606e21a63dd Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Mon, 24 Feb 2025 21:23:13 +0000
Subject: [PATCH] fix GHSA-m2jw-cj8v-937r ;

this fixes a DOM-Based XSS when preparing files for upload;
empty files would have their filenames rendered as HTML in
a messagebox, making it possible to trick users into running
arbitrary javascript by giving them maliciously-named files

note that, being a general-purpose webserver, it is still
intentionally possible to upload and execute arbitrary
javascript, just not in this unexpected manner
---
 copyparty/web/up2k.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/copyparty/web/up2k.js b/copyparty/web/up2k.js
index 5dac213b..6e78ee68 100644
--- a/copyparty/web/up2k.js
+++ b/copyparty/web/up2k.js
@@ -1319,7 +1319,7 @@ function up2k_init(subtle) {
         if (bad_files.length) {
             var msg = L.u_badf.format(bad_files.length, ntot);
             for (var a = 0, aa = Math.min(20, bad_files.length); a < aa; a++)
-                msg += '-- ' + bad_files[a][1] + '\n';
+                msg += '-- ' + esc(bad_files[a][1]) + '\n';
 
             msg += L.u_just1;
             return modal.alert(msg, function () {
@@ -1331,7 +1331,7 @@ function up2k_init(subtle) {
         if (nil_files.length) {
             var msg = L.u_blankf.format(nil_files.length, ntot);
             for (var a = 0, aa = Math.min(20, nil_files.length); a < aa; a++)
-                msg += '-- ' + nil_files[a][1] + '\n';
+                msg += '-- ' + esc(nil_files[a][1]) + '\n';
 
             msg += L.u_just1;
             return modal.confirm(msg, function () {