Cross-site Scripting (XSS)

An attacker crafts a file whose name contains malicious JavaScript code (e.g. `<img src=x onerror=alert(1)>.jpg`). A user must be tricked into uploading such a file through the file-upload-with-preview component. When the library displays the file name in the input label, the unsanitized name is injected into the DOM via `innerHTML`, causing the attacker's script to execute in the context of the user's session [CWE-79]. The attack requires no special network position beyond serving the vulnerable page to the victim.

The vulnerability resides in the `FileUploadWithPreview` class, specifically in the method that updates the input label after a file is selected. In the bundled output (`dist/file-upload-with-preview.umd.js` and `dist/file-upload-with-preview.esm.js`), the line `this.inputLabel.innerHTML = file.name;` was replaced with `this.inputLabel.textContent = file.name;` [patch_id=6635401]. This change prevents the file name from being interpreted as HTML, closing the cross-site scripting vector.

The patch changes `this.inputLabel.innerHTML = file.name;` to `this.inputLabel.textContent = file.name;` in both the UMD and ESM bundles [patch_id=6635401]. The `textContent` property automatically HTML-encodes the assigned string, so any HTML or JavaScript embedded in the file name is rendered as plain text rather than executed. This eliminates the stored cross-site scripting vector without altering the library's API or behavior.