[xss] - XSS via filename

[push-pull-deploy]

https://github.com/grevory/bootstrap-file-input/blob/master/bootstrap.file-input.js#L112:

$(this).parent().after('<span class="file-input-name">'+fileName+'</span>');

This opens up users of this library to XSS attacks [1]. fileName should be escaped before it is used inside raw HTML.

[1] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

[push-pull-deploy]

I would suggest a fix that uses textContent or jQuery's text() method:

diff --git a/vendor/assets/javascripts/bootstrap-fileinput.js b/vendor/assets/javascripts/bootstrap-fileinput.js
index 9467b45..d912909 100644
--- a/vendor/assets/javascripts/bootstrap-fileinput.js
+++ b/vendor/assets/javascripts/bootstrap-fileinput.js
@@ -103,7 +103,9 @@ $.fn.bootstrapFileInput = function() {
         fileName = fileName.substring(fileName.lastIndexOf('\\')+1,fileName.length);
       }

-      $(this).parent().after('<span class="file-input-name">'+fileName+'</span>');
+      var span = jQuery('<span></span>', {"class":"file-input-name"});
+      span.text(fileName);
+      $(this).parent().after(span);
     });

   });