Fix XSS: escape userName in reply form insertAdjacentHTML template

showReplyForm() read userName from data-user attribute (decoded by the browser from HTML entities) and injected it unsanitized into insertAdjacentHTML() — any HTML special chars would be parsed as markup. Fix: wrap with lt.escHtml() before interpolation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-28 13:38:30 -04:00
parent 170bd86aa6
commit e2c23d0405
1 changed files with 1 additions and 1 deletions
@@ -1269,7 +1269,7 @@ function showReplyForm(commentId, userName) {
    const replyFormHtml = `
        <div class="reply-form-container" data-parent-id="${commentId}">
            <div class="reply-header">
-                <span>Replying to <span class="replying-to">@${userName}</span></span>
+                <span>Replying to <span class="replying-to">@${lt.escHtml(userName)}</span></span>
                <button type="button" class="close-reply-btn" data-action="close-reply">CANCEL</button>
            </div>
            <textarea id="replyText" placeholder="Write your reply..."></textarea>