Skip to content

Commit d99f15a

Browse files
velovelo
committed
Merge remote-tracking branch 'origin/alert-autofix-8' into cross-scripting
2 parents d01d766 + a5cb357 commit d99f15a

File tree

1 file changed

+3
-1
lines changed

1 file changed

+3
-1
lines changed

feign-form/src/test/java/feign/form/Server.java

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@
2828
import java.io.IOException;
2929
import java.util.Collection;
3030
import java.util.List;
31+
import org.apache.commons.text.StringEscapeUtils;
3132
import lombok.val;
3233
import org.apache.commons.text.StringEscapeUtils;
3334
import org.springframework.boot.autoconfigure.SpringBootApplication;
@@ -169,8 +170,9 @@ public ResponseEntity<String> uploadUnknownType(@RequestPart("file") MultipartFi
169170
@PostMapping(path = "/upload/form_data", consumes = MULTIPART_FORM_DATA_VALUE)
170171
public ResponseEntity<String> uploadFormData(@RequestPart("file") MultipartFile file) {
171172
val status = file != null ? OK : I_AM_A_TEAPOT;
173+
String sanitizedFilename = StringEscapeUtils.escapeHtml4(file.getOriginalFilename());
172174
return ResponseEntity.status(status)
173-
.body(file.getOriginalFilename() + ':' + file.getContentType());
175+
.body(sanitizedFilename + ':' + file.getContentType());
174176
}
175177

176178
@PostMapping(path = "/submit/url", consumes = APPLICATION_FORM_URLENCODED_VALUE)

0 commit comments

Comments
 (0)