Vulnerability Arbitrary Image Upload + XSS Via Image Name

[jeagercoder]

https://github.com/pylixm/django-mdeditor/blob/master/mdeditor/views.py

1.no authentication check so anyone can upload image file
2.Name of uploaded file is not cleaned so it is vulnerable to XSS attack, one can upload file with name like: "><script>alert(1)</script>

[pylixm]

@zonefteam Thank you for your reminder, I will fix it later.

Before releasing the new version, I hope everyone can check whether the problem will bring security risks to their services.

[jeagercoder]

of course because it is a security vulnerability.

1. arbitrary file upload
   2, XSS stored

in our community there are some people who use django mdeditor, after I told them they immediately disabled the vulnerable upload feature