Improve message encoding in js-mailer

Changed the code to encode the error message text in js-mailer.js. This is done to prevent potential Cross-Site Scripting (XSS) by ensuring any HTML characters entering the message div are properly escaped.
wneessen · Mar 20, 2024 · 7127e17 · 7127e17
1 parent 2721f1f
commit 7127e17
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/code-examples/js-mailer.js b/code-examples/js-mailer.js
@@ -100,6 +100,6 @@ function showError(errorMsg) {
         return false
     }
     msgDiv.innerText = errorMsg
-    msgDiv.innerHTML = msgDiv.innerText + '<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>'
+    msgDiv.innerHTML = encodeURIComponent(msgDiv.innerText) + '<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>'
     msgDiv.style.display = 'block'
 }