fix GHSA-8mx2-rjh8-q3jq ;

this fixes a DOM-Based XSS in the recent-uploads page: it was possible to execute arbitrary javascript by tricking someone into visiting `/?ru&filter=</script>` huge thanks to @Ju0x for finding and reporting this!
2025-08-17 09:02:15 -06:00 · 2025-07-30 21:19:39 +00:00 · 2025-07-30 21:19:39 +00:00 · a8705e611d
parent b7ca6f4a66
commit a8705e611d
2 changed files with 6 additions and 1 deletions
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@ -81,6 +81,7 @@ from .util import (
    html_escape,
    humansize,
    ipnorm,
+    json_hesc,
    justcopy,
    load_resource,
    loadpy,
@ -5595,7 +5596,7 @@ class HttpCli(object):
            self.reply(jtxt.encode("utf-8", "replace"), mime="application/json")
            return True

-        html = self.j2s("rups", this=self, v=jtxt)
+        html = self.j2s("rups", this=self, v=json_hesc(jtxt))
        self.reply(html.encode("utf-8"), status=200)
        return True

--- a/copyparty/util.py
+++ b/copyparty/util.py
@ -2253,6 +2253,10 @@ def find_prefix(ips: list[str], cidrs: list[str]) -> list[str]:
    return ret


+def json_hesc(s: str) -> str:
+    return s.replace("<", "\\u003c").replace(">", "\\u003e").replace("&", "\\u0026")
+
+
 def html_escape(s: str, quot: bool = False, crlf: bool = False) -> str:
    """html.escape but also newlines"""
    s = s.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")