Potential XSS fix

simplerisk · Mar 6, 2021 · 591405b · 591405b
1 parent 267f37d
commit 591405b
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/simplerisk/js/common.js b/simplerisk/js/common.js
@@ -339,7 +339,11 @@ function checkAndSetValidation(container)
                 issue_el.addClass("error");
                 issue_el.focus()
             }
-            var message = field_required_lang.replace("_XXX_", issue_el.attr("title"))
+
+            // We have to make sure that no html gets through to toastr as it's displaying what it gets 'as is';
+            var escaped = $("<div/>").text(issue_el.attr("title")).html();
+            var message = field_required_lang.replace("_XXX_", escaped);
+
             showAlertFromMessage(message, false)
         }
         return false;