From c24e8a0a20a6725d7e73d17788a3705d686832be Mon Sep 17 00:00:00 2001
From: vulcandth <vulcandth@gmail.com>
Date: Sun, 8 Dec 2024 14:06:13 -0600
Subject: [PATCH] replace '&' first toprevent double-escaping

---
 index.html | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/index.html b/index.html
index 30b1112..26af6cb 100644
--- a/index.html
+++ b/index.html
@@ -472,7 +472,12 @@ <h1>Polished Crystal Save Patcher</h1>
 			if (oldSaveInput.files.length > 0) {
 				const file = oldSaveInput.files[0];
 				// Escape the file name to prevent XSS
-				const sanitizedFileName = file.name.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+				const sanitizedFileName = file.name
+					.replace(/&/g, "&amp;")  // Replace '&' first to prevent double-escaping
+					.replace(/</g, "&lt;")
+					.replace(/>/g, "&gt;")
+					.replace(/"/g, "&quot;")
+					.replace(/'/g, "&#039;");
 				dropZone.querySelector('p').textContent = 'Selected file: ' + file.name;
 				fileDetails.innerHTML = `
 					<p><strong>File Name:</strong> ${sanitizedFileName}</p>