2.3.8 release with security fixes

Author: spocke

SECURITY.md

@@ -0,0 +1 @@
+Tiny values the work of security researchers in improving the security of technology products worldwide. We welcome researchers who wish to responsibly disclose vulnerabilities in our products or systems. Note that we do not offer any “bug bounty” program or any form of payment for disclosed vulnerabilities. If you would like to report a vulnerability, please email infosec@tiny.cloud.

js/jquery.plupload.queue/jquery.plupload.queue.js

@@ -223,7 +223,7 @@ used as it is.
 
 						fileList.append(
 							'<li id="' + file.id + '">' +
-								'<div class="plupload_file_name"><span>' + file.name + '</span></div>' +
+								'<div class="plupload_file_name"><span>' + plupload.xmlEncode(file.name) + '</span></div>' +
 								'<div class="plupload_file_action"><a href="#"></a></div>' +
 								'<div class="plupload_file_status">' + file.percent + '%</div>' +
 								'<div class="plupload_file_size">' + plupload.formatSize(file.size) + '</div>' +
@@ -306,7 +306,7 @@ used as it is.
 
 									// Rename file and glue extension back on
 									file.name = targetInput.val() + ext;
-									targetSpan.html(file.name);
+									targetSpan.text(file.name);
 									targetInput.blur();
 								}
 							});

js/jquery.plupload.queue/jquery.plupload.queue.min.js

@@ -491,7 +491,7 @@ $.widget("ui.plupload", {
 					break;
 			}
 
-			message += " <br /><i>" + details + "</i>";
+			message += " <br /><i>" + plupload.xmlEncode(details) + "</i>";
 
 			self._trigger('error', null, { up: up, error: err } );
 
@@ -1313,7 +1313,7 @@ $.widget("ui.plupload", {
 					// Rename file and glue extension back on
 					if (e.keyCode === 13) {
 						file.name = nameInput.val() + ext;
-						nameSpan.html(file.name);
+						nameSpan.text(file.name);
 					}
 					nameInput.blur();
 				}

js/jquery.ui.plupload/jquery.ui.plupload.js

@@ -15,8 +15,8 @@
         "Silverlight",
         "moxie"
     ],
-    "version": "2.3.7",
-    "releaseDate": "2021-03-29",
+    "version": "2.3.8",
+    "releaseDate": "2021-11-15",
     "author": "Ephox",
     "contributors": [{
         "name": "Davit Barbakadze",

js/jquery.ui.plupload/jquery.ui.plupload.min.js

@@ -223,7 +223,7 @@ used as it is.
 
 						fileList.append(
 							'<li id="' + file.id + '">' +
-								'<div class="plupload_file_name"><span>' + file.name + '</span></div>' +
+								'<div class="plupload_file_name"><span>' + plupload.xmlEncode(file.name) + '</span></div>' +
 								'<div class="plupload_file_action"><a href="#"></a></div>' +
 								'<div class="plupload_file_status">' + file.percent + '%</div>' +
 								'<div class="plupload_file_size">' + plupload.formatSize(file.size) + '</div>' +
@@ -306,7 +306,7 @@ used as it is.
 
 									// Rename file and glue extension back on
 									file.name = targetInput.val() + ext;
-									targetSpan.html(file.name);
+									targetSpan.text(file.name);
 									targetInput.blur();
 								}
 							});

package.json

@@ -491,7 +491,7 @@ $.widget("ui.plupload", {
 					break;
 			}
 
-			message += " <br /><i>" + details + "</i>";
+			message += " <br /><i>" + plupload.xmlEncode(details) + "</i>";
 
 			self._trigger('error', null, { up: up, error: err } );
 
@@ -1313,7 +1313,7 @@ $.widget("ui.plupload", {
 					// Rename file and glue extension back on
 					if (e.keyCode === 13) {
 						file.name = nameInput.val() + ext;
-						nameSpan.html(file.name);
+						nameSpan.text(file.name);
 					}
 					nameInput.blur();
 				}