Prevent XSS by escaping user_set_url_params

2025-02-02 14:18:43 +08:00 · 2024-04-20 16:34:15 -07:00 · 2024-04-20 16:34:15 -07:00 · 2ecea9a7b0
commit 2ecea9a7b0
parent 8713db3d55
1 changed files with 1 additions and 1 deletions
--- a/src/UI/UIWindow.js
+++ b/src/UI/UIWindow.js
@ -214,7 +214,7 @@ async function UIWindow(options) {
                data-sort_order ="${options.sort_order ?? 'asc'}"
                data-multiselectable = "${options.selectable_body}"
                data-update_window_url = "${options.update_window_url}"
-                data-user_set_url_params = "${user_set_url_params}"
+                data-user_set_url_params = "${html_encode(user_set_url_params)}"
                data-initial_zindex = "${zindex}"
                style=" z-index: ${zindex}; 
                        ${options.width !== undefined ? 'width: ' + html_encode(options.width) +'; ':''}