From 9081232e7cd30c2e3d4790eaa2eeff799dc2bea9 Mon Sep 17 00:00:00 2001
From: opalmay <65673442+opalmay@users.noreply.github.com>
Date: Thu, 20 May 2021 22:16:26 +0300
Subject: [PATCH] fix: disallow # char in file uploads (#3770)

---
 server/controllers/upload.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/controllers/upload.js b/server/controllers/upload.js
index c6a3685d22..3da4dcac77 100644
--- a/server/controllers/upload.js
+++ b/server/controllers/upload.js
@@ -76,7 +76,7 @@ router.post('/u', (req, res, next) => {
   }
 
   // Sanitize filename
-  fileMeta.originalname = sanitize(fileMeta.originalname.toLowerCase().replace(/[\s,;]+/g, '_'))
+  fileMeta.originalname = sanitize(fileMeta.originalname.toLowerCase().replace(/[\s,;#]+/g, '_'))
 
   // Check if user can upload at path
   const assetPath = (folderId) ? hierarchy.map(h => h.slug).join('/') + `/${fileMeta.originalname}` : fileMeta.originalname