GHSA-grj5-8fcj-34gh/CVE-2024-29894 fix for develop (#5752)

* GHSA-grj5-8fcj-34gh/CVE-2024-29894 fix for develop * raise_message_javascript: switch to long tags * raise_message_javascript: sync fix 1.2.x to also fix CVE-2023-50250/GHSA-xwqc-7jc4-xm73
Cacti · May 18, 2024 · 2a3ac8e · 2a3ac8e
1 parent ef2cb06
commit 2a3ac8e
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/lib/functions.php b/lib/functions.php
@@ -1186,8 +1186,13 @@ function raise_message(string|int $message_id, string $message = '', int $messag
 function raise_message_javascript(string $title, string $header, string $message, int $level = MESSAGE_LEVEL_MIXED) {
 	?>
 	<script type='text/javascript'>
+	var mixedReasonTitle = DOMPurify.sanitize(<?php print json_encode($title, JSON_THROW_ON_ERROR);?>);
+	var mixedOnPage      = DOMPurify.sanitize(<?php print json_encode($header, JSON_THROW_ON_ERROR);?>);
+	var message          = DOMPurify.sanitize(<?php print json_encode($message, JSON_THROW_ON_ERROR);?>);
+	var level            = <?php print $level; ?>;
+
 	$(function() {
-		raiseMessage('<?= $title?>', '<?= $header?>', '<?= $message ?>', <?= $level?>)
+		raiseMessage(mixedReasonTitle, mixedOnPage, message, level);
 	});
 	</script>
 	<?php