LotusGuild/tinker_tickets
4
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix XSS: escape userName in reply form insertAdjacentHTML template

Browse Source 
showReplyForm() read userName from data-user attribute (decoded by
the browser from HTML entities) and injected it unsanitized into
insertAdjacentHTML() — any HTML special chars would be parsed as markup.
Fix: wrap with lt.escHtml() before interpolation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jared Vititoe
2026-03-28 13:38:30 -04:00
parent 170bd86aa6
commit e2c23d0405
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
assets/js/ticket.js
+1 -1
View File
@@ -1269,7 +1269,7 @@ function showReplyForm(commentId, userName) {
const replyFormHtml = ` const replyFormHtml = `
<div class="reply-form-container" data-parent-id="${commentId}"> <div class="reply-form-container" data-parent-id="${commentId}">
<div class="reply-header"> <div class="reply-header">
<span>Replying to <span class="replying-to">@${userName}</span></span> <span>Replying to <span class="replying-to">@${lt.escHtml(userName)}</span></span>
<button type="button" class="close-reply-btn" data-action="close-reply">CANCEL</button> <button type="button" class="close-reply-btn" data-action="close-reply">CANCEL</button>
</div> </div>
<textarea id="replyText" placeholder="Write your reply..."></textarea> <textarea id="replyText" placeholder="Write your reply..."></textarea>