Skip to content

Commit 0a291ab

Browse files
AnthonyGressgithub-advanced-security[bot]
AnthonyGress
and
github-advanced-security[bot]
authored
Potential fix for code scanning alert no. 3: DOM text reinterpreted as HTML
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
1 parent 784a3a0 commit 0a291ab

File tree

1 file changed

+11
-2
lines changed

1 file changed

+11
-2
lines changed

frontend/src/components/forms/IconSearch.tsx

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -77,13 +77,22 @@ export const IconSearch = ({ control, errors, onCustomIconSelect }: Props) => {
7777
}
7878

7979
// Create a temporary preview URL
80+
// Validate file type
81+
if (!file.type.startsWith('image/')) {
82+
console.error('Invalid file type. Only image files are allowed.');
83+
return;
84+
}
85+
8086
const objectUrl = URL.createObjectURL(file);
8187
setTempPreviewUrl(objectUrl);
8288

89+
// Sanitize the object URL
90+
const sanitizedObjectUrl = encodeURI(objectUrl);
91+
8392
// Create a valid icon object
8493
const tempIcon: Icon = {
8594
name: file.name.replace(/\.[^/.]+$/, ''), // Remove extension
86-
path: objectUrl,
95+
path: sanitizedObjectUrl,
8796
source: 'custom-pending'
8897
};
8998

@@ -203,7 +212,7 @@ export const IconSearch = ({ control, errors, onCustomIconSelect }: Props) => {
203212
<Box ml={1}>
204213
<img
205214
src={selectedIcon.source === 'custom-pending'
206-
? selectedIcon.path
215+
? encodeURI(selectedIcon.path)
207216
: getIconPath(selectedIcon.path)}
208217
alt={selectedIcon.name}
209218
width={25}

0 commit comments

Comments
 (0)