Impact
The Nextcloud dialogs library before 3.1.2 did insufficiently escape text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability.
Note: Nextcloud Server employs a strict Content Security Policy that mitigates the risk of these XSS vulnerabilities.
Patches
The vulnerability has been patched in version 3.2.1. If you need to display HTML in the toast, explicitly pass the options.isHTML config flag.
Workarounds
Make sure no user-supplied input flows into toasts.
Impact
The Nextcloud dialogs library before 3.1.2 did insufficiently escape text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability.
Note: Nextcloud Server employs a strict Content Security Policy that mitigates the risk of these XSS vulnerabilities.
Patches
The vulnerability has been patched in version 3.2.1. If you need to display HTML in the toast, explicitly pass the
options.isHTMLconfig flag.Workarounds
Make sure no user-supplied input flows into toasts.