From e7ab43527a0d7779fb86d342b6781823a94b80a4 Mon Sep 17 00:00:00 2001
From: Wolfsblvt <wolfsblvt@gmx.de>
Date: Mon, 24 Jun 2024 03:09:46 +0200
Subject: [PATCH] Fix /echo command falsely stripping HTML-like text

---
 public/scripts/slash-commands.js | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/public/scripts/slash-commands.js b/public/scripts/slash-commands.js
index a48805863..ebbbd42b1 100644
--- a/public/scripts/slash-commands.js
+++ b/public/scripts/slash-commands.js
@@ -1940,8 +1940,8 @@ async function generateCallback(args, value) {
 }
 
 async function echoCallback(args, value) {
-    const safeValue = DOMPurify.sanitize(String(value) || '');
-    if (safeValue === '') {
+    // Note: We don't need to sanitize input, as toastr is set up by default to escape HTML via toastr options
+    if (value === '') {
         console.warn('WARN: No argument provided for /echo command');
         return;
     }
@@ -1949,17 +1949,17 @@ async function echoCallback(args, value) {
     const severity = args?.severity !== undefined && typeof args?.severity === 'string' ? args.severity : 'info';
     switch (severity) {
         case 'error':
-            toastr.error(safeValue, title);
+            toastr.error(value, title);
             break;
         case 'warning':
-            toastr.warning(safeValue, title);
+            toastr.warning(value, title);
             break;
         case 'success':
-            toastr.success(safeValue, title);
+            toastr.success(value, title);
             break;
         case 'info':
         default:
-            toastr.info(safeValue, title);
+            toastr.info(value, title);
             break;
     }
     return value;