From 25d8286dfcb77f16608d505b980e48c04a07376b Mon Sep 17 00:00:00 2001 From: Wolfsblvt Date: Fri, 6 Sep 2024 20:31:13 +0200 Subject: [PATCH] DOM.purify toast if HTML is allowed --- public/scripts/slash-commands.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/public/scripts/slash-commands.js b/public/scripts/slash-commands.js index 4ee796298..594003508 100644 --- a/public/scripts/slash-commands.js +++ b/public/scripts/slash-commands.js @@ -2251,6 +2251,11 @@ async function echoCallback(args, value) { } } + // If we allow HTML, we need to sanitize it to prevent security risks + if (!options.escapeHtml) { + value = DOMPurify.sanitize(value, { FORBID_TAGS: ['style'] }); + } + let toast; switch (severity) { case 'error':