From 88c9d9d15246fe69c3ccb003d5525401988de4f7 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Tue, 13 Jun 2023 11:55:13 -0400
Subject: [PATCH] fix: improper neutralization of user input in image wrapping
 code

---
 public/src/client/topic/images.js | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/public/src/client/topic/images.js b/public/src/client/topic/images.js
index a04b22a9e9..cc7a055bcc 100644
--- a/public/src/client/topic/images.js
+++ b/public/src/client/topic/images.js
@@ -3,28 +3,26 @@
 
 define('forum/topic/images', [], function () {
 	const Images = {};
+	const suffixRegex = /-resized(\.[\w]+)?$/;
 
 	Images.wrapImagesInLinks = function (posts) {
 		posts.find('[component="post/content"] img:not(.emoji)').each(function () {
 			const $this = $(this);
 			let src = $this.attr('src') || '';
-			const alt = $this.attr('alt') || '';
-			const suffixRegex = /-resized(\.[\w]+)?$/;
-
 			if (src === 'about:blank') {
 				return;
 			}
 
-			if (utils.isRelativeUrl(src) && suffixRegex.test(src)) {
-				src = src.replace(suffixRegex, '$1');
-			}
-			const srcExt = src.split('.').slice(1).pop();
-			const altFilename = alt.split('/').pop();
-			const altExt = altFilename.split('.').slice(1).pop();
-
 			if (!$this.parent().is('a')) {
+				if (utils.isRelativeUrl(src) && suffixRegex.test(src)) {
+					src = src.replace(suffixRegex, '$1');
+				}
+				const alt = $this.attr('alt') || '';
+				const srcExt = src.split('.').slice(1).pop();
+				const altFilename = alt.split('/').pop();
+				const altExt = altFilename.split('.').slice(1).pop();
 				$this.wrap('<a href="' + src + '" ' +
-					(!srcExt && altExt ? ' download="' + altFilename + '" ' : '') +
+					(!srcExt && altExt ? ' download="' + utils.escapeHTML(altFilename) + '" ' : '') +
 					' target="_blank" rel="noopener">');
 			}
 		});