Filename sanitization rules are inconsistent

[silllli]

As a followup from the other issue. I added the following comment, which probably got lost:

I found another inconsistency between server and client side. Str::slug() which is used by F::safeBasename() does

// trim leading and trailing non-word-chars

and uses a-z0-9 in its regex pattern on the server (source). The slug helper in the panel Vue code on the other hand, which should also

// trim leading and trailing non-word-chars

uses the passed allowed character set (new RegExp('^[^' + allowed + ']+', 'g')) in its regex pattern (source).

So you can enter something like _test.jpg in the panel when renaming and uploading a file, but the file will be saved as test.jpg.

Since the panel can’t handle files starting with underscores (for some reason) I would opt to use the more restrictive pattern.

[distantnative]

It's hasn't gotten lost. Let's keep it with one issue for this.

[silllli]

The other issue was and remains closed as “completed” (after me stating more inconsistencies), so I thought there is need for a new one to stay visible.

[distantnative]

@silllli as far as I see the PR #6462 does address those as well or do you see its differently?

[silllli]

@distantnative Ah, true! But using the passed allowed character set is prone to becoming out of sync with the sanitization on the server (which is hardcoded) again.

Also, as I mentioned, the Panel can’t handle files starting with an underscore (which was prevented so far) so there is a way to break it now by renaming a file to start with an underscore.

[distantnative]

Which is why the PR also removes them on the Panel/frontend at the start/end of the filename.

[silllli]

Perfect. Sorry, I didn’t check all commits and there was no feedback on my additional comment.