Need help on rich:fileUpload issue on Linux

0
votes

I'm using rich:fileUpload in my application on linux when I try to upload any file containing html code in file name i.e "file<img src=xyz onerror=alert('TEST')>Name.png", it gives me javascript alert before uploading the file. I tried it on live demo and found the same issue there as well. How can I restrict/escape execution of html/script or XSS in file name on linux?

You can try it yourself by following steps on linux.

Create a file with name "file<img src=xyz onerror=alert('TEST')>Name.png" Access rich:fileUpload demo on richfaces showcase using below url. Upload file and you will see a javascript alert.

http://showcase.richfaces.org:8000/richfaces/component-sample.jsf?demo=fileUpload&skin=blueSky

1
javascriptjsffile-uploadrichfaces
I fail to understand the problem. I get an expected javascript alert that only certain types are supported if I select a pdf file (doing that from Linux)Kukeltje
Ok, I misunderstood the problem, does this work on Windows or Mac?Kukeltje
In windows we doesn't add file name with '<' or '>'.Jamshoo Lakhani
How does it add the filename then on windows?Kukeltje

1 Answers

-1
votes

I try to upload any file containing html code in file name i.e "fileName.png".

You are saying html code in file name, but I don't see any html in "fileName.png".

If I'm not wrong file name should be something like file<img src=x onerror=alert('Javascript')>.pdf.