From 63c6fbaf589139c74e8a0d0aaada3c15c8236c89 Mon Sep 17 00:00:00 2001
From: Wolfsblvt <wolfsblvt@gmail.com>
Date: Fri, 6 Sep 2024 21:18:16 +0200
Subject: [PATCH] /echo html allowed sanitize title too

---
 public/scripts/slash-commands.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/public/scripts/slash-commands.js b/public/scripts/slash-commands.js
index 630c0fcb8..6fd85c25e 100644
--- a/public/scripts/slash-commands.js
+++ b/public/scripts/slash-commands.js
@@ -2227,7 +2227,7 @@ async function echoCallback(args, value) {
     // Make sure that the value is a string
     value = String(value);
 
-    const title = args.title ? args.title : undefined;
+    let title = args.title ? args.title : undefined;
     const severity = args.severity ? args.severity : 'info';
 
     /** @type {ToastrOptions} */
@@ -2259,6 +2259,7 @@ async function echoCallback(args, value) {
 
     // If we allow HTML, we need to sanitize it to prevent security risks
     if (!options.escapeHtml) {
+        if (title) title = DOMPurify.sanitize(title, { FORBID_TAGS: ['style'] });
         value = DOMPurify.sanitize(value, { FORBID_TAGS: ['style'] });
     }