From e4e10c3d6b3ab8ab02844bc7c01fca6f4912f007 Mon Sep 17 00:00:00 2001
From: Wolfsblvt <wolfsblvt@gmail.com>
Date: Fri, 6 Sep 2024 23:14:52 +0200
Subject: [PATCH] /popup allow header arg, with sanitization

---
 public/scripts/slash-commands.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/public/scripts/slash-commands.js b/public/scripts/slash-commands.js
index a1e83a4c2..ab83dfeb5 100644
--- a/public/scripts/slash-commands.js
+++ b/public/scripts/slash-commands.js
@@ -1908,7 +1908,9 @@ async function buttonsCallback(args, text) {
 }
 
 async function popupCallback(args, value) {
-    const safeValue = DOMPurify.sanitize(value || '');
+    const safeBody = DOMPurify.sanitize(value || '');
+    const safeHeader = args?.header && typeof args?.header === 'string' ? DOMPurify.sanitize(args.header) : null;
+
     /** @type {import('./popup.js').PopupOptions} */
     const popupOptions = {
         large: isTrueBoolean(args?.large),
@@ -1918,7 +1920,7 @@ async function popupCallback(args, value) {
         okButton: args?.okButton !== undefined && typeof args?.okButton === 'string' ? args.okButton : 'Ok',
         cancelButton: args?.cancelButton !== undefined && typeof args?.cancelButton === 'string' ? args.cancelButton : null,
     };
-    await callGenericPopup(safeValue, POPUP_TYPE.TEXT, '', popupOptions);
+    await Popup.show.text(safeHeader, safeBody, popupOptions);
     return String(value);
 }