fix GHSA-8mx2-rjh8-q3jq ;

this fixes a DOM-Based XSS in the recent-uploads page:

it was possible to execute arbitrary javascript by
tricking someone into visiting `/?ru&filter=</script>`

huge thanks to @Ju0x for finding and reporting this!

Author: 9001

copyparty/httpcli.py

@@ -81,6 +81,7 @@
     html_escape,
     humansize,
     ipnorm,
+    json_hesc,
     justcopy,
     load_resource,
     loadpy,
@@ -5595,7 +5596,7 @@ def tx_rups(self) -> bool:
             self.reply(jtxt.encode("utf-8", "replace"), mime="application/json")
             return True
 
-        html = self.j2s("rups", this=self, v=jtxt)
+        html = self.j2s("rups", this=self, v=json_hesc(jtxt))
         self.reply(html.encode("utf-8"), status=200)
         return True
 

copyparty/util.py

@@ -2253,6 +2253,10 @@ def find_prefix(ips: list[str], cidrs: list[str]) -> list[str]:
     return ret
 
 
+def json_hesc(s: str) -> str:
+    return s.replace("<", "\\u003c").replace(">", "\\u003e").replace("&", "\\u0026")
+
+
 def html_escape(s: str, quot: bool = False, crlf: bool = False) -> str:
     """html.escape but also newlines"""
     s = s.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")