From 91e5882814b1a13eab95b746ed3d90904b4040eb Mon Sep 17 00:00:00 2001
From: crazywoola <100913391+crazywoola@users.noreply.github.com>
Date: Thu, 24 Oct 2024 17:05:09 +0800
Subject: [PATCH] Fix code scanning alert no. 89: DOM text reinterpreted as
 HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 web/app/components/base/app-icon-picker/Uploader.tsx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/web/app/components/base/app-icon-picker/Uploader.tsx b/web/app/components/base/app-icon-picker/Uploader.tsx
index 4ddaa40447..547a32accf 100644
--- a/web/app/components/base/app-icon-picker/Uploader.tsx
+++ b/web/app/components/base/app-icon-picker/Uploader.tsx
@@ -1,5 +1,7 @@
 'use client'
 
+const MAX_FILE_SIZE = 5 * 1024 * 1024; // 5MB
+
 import type { ChangeEvent, FC } from 'react'
 import { createRef, useEffect, useState } from 'react'
 import type { Area } from 'react-easy-crop'
@@ -38,8 +40,9 @@ const Uploader: FC<UploaderProps> = ({
 
   const handleLocalFileInput = (e: ChangeEvent<HTMLInputElement>) => {
     const file = e.target.files?.[0]
-    if (file)
+    if (file && ALLOW_FILE_EXTENSIONS.includes(file.type.split('/').pop()?.toLowerCase() || '') && file.size <= MAX_FILE_SIZE) {
       setInputImage({ file, url: URL.createObjectURL(file) })
+    }
   }
 
   const {