From 6a82fa1abe81d96238a87727087572ff749d0a8d Mon Sep 17 00:00:00 2001
From: Beuc <beuc@beuc.net>
Date: Sat, 18 May 2024 14:36:41 +0200
Subject: [PATCH] GHSA-grj5-8fcj-34gh follow-up fix (#5751)

Not sure how this was lost during the back&forth during the GHSA process but we missed escaping the 3rd parameter of raise_message_javascript().
---
 lib/functions.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/functions.php b/lib/functions.php
index 4d6fceb74f..fedfd25384 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -1053,7 +1053,7 @@ function raise_message_javascript($title, $header, $message) {
 	var mixedReasonTitle = DOMPurify.sanitize(<?php print json_encode($title, JSON_THROW_ON_ERROR);?>);
 	var mixedOnPage      = DOMPurify.sanitize(<?php print json_encode($header, JSON_THROW_ON_ERROR);?>);
 	sessionMessage   = {
-		message: DOMPurify.sanitize('<?php print $message;?>'),
+		message: DOMPurify.sanitize(<?php print json_encode($message, JSON_THROW_ON_ERROR);?>),
 		level: MESSAGE_LEVEL_MIXED
 	};