From be72a81424e47a34f89b967518b11f06e5722bc1 Mon Sep 17 00:00:00 2001
From: Tatu Lund <tatu@vaadin.com>
Date: Tue, 25 Jun 2024 16:28:52 +0300
Subject: [PATCH 1/2] fix: escape regex operators in upload accept pattern

---
 test/adding-files.html | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/test/adding-files.html b/test/adding-files.html
index a37b8eb..3f6707b 100644
--- a/test/adding-files.html
+++ b/test/adding-files.html
@@ -321,6 +321,20 @@
           upload._addFiles([file]);
           expect(upload.files.length).to.equal(1);
         });
+
+        it('should allow files when using regex operators in accept string', () => {
+          file = createFile(testFileSize, 'image/svg+xml');
+          upload.accept = 'image/svg+xml';
+          upload._addFiles([file]);
+          expect(upload.files.length).to.equal(1);
+        });
+
+        it('should reject files when accept contains regex single character wildcard and file type is not an exact match', () => {
+          file = createFile(testFileSize, 'application/vndxms-excel');
+          upload.accept = 'application/vnd.ms-excel';
+          upload._addFiles([file]);
+          expect(upload.files.length).to.equal(0);
+        });
       });
 
     });

From 5a5605f9cb9fd4661b243a5e5a3d7c224120845a Mon Sep 17 00:00:00 2001
From: Tatu Lund <tatu@vaadin.com>
Date: Tue, 25 Jun 2024 16:30:53 +0300
Subject: [PATCH 2/2] fix: escape regex operators in upload accept pattern

---
 src/vaadin-upload.html | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/vaadin-upload.html b/src/vaadin-upload.html
index ee58fd6..0eb9689 100644
--- a/src/vaadin-upload.html
+++ b/src/vaadin-upload.html
@@ -754,7 +754,10 @@
             return;
           }
           const fileExt = file.name.match(/\.[^\.]*$|$/)[0];
-          const re = new RegExp('^(' + this.accept.replace(/[, ]+/g, '|').replace(/\/\*/g, '/.*') + ')$', 'i');
+          // Escape regex operators common to mime types
+          const escapedAccept = this.accept.replace(/[+.]/g, '\\$&');
+          // Create accept regex that can match comma separated patterns, star (*) wildcards
+          const re = new RegExp(`^(${escapedAccept.replace(/[, ]+/g, '|').replace(/\/\*/g, '/.*')})$`, 'i');
           if (this.accept && !(re.test(file.type) || re.test(fileExt))) {
             this.dispatchEvent(
               new CustomEvent('file-reject', {