vvnsk
commented
5 years ago Please accept the PR to fix the below issue https://github.com/CodeSeven/toastr/pull/523/commits/3e70ccf9d50c4b578caaf059c7538fa9b0ec8802
Closed vvnsk closed 4 years ago
vvnsk
commented
5 years ago Please accept the PR to fix the below issue https://github.com/CodeSeven/toastr/pull/523/commits/3e70ccf9d50c4b578caaf059c7538fa9b0ec8802
TexasSwede
commented
4 years ago It is up to you as developer to santize the data you are sending to a plugin/function. Since you are the one creating the application, you should clean any data before you pass it on.
vvnsk
commented
4 years ago Agreed, Although i feel the necessity to educate the developers to sanitize, By mentioning the same in Read me, or handling the same in the plugin/function. The issue is a potential threat to cross site scripting and I don't want developers using the Plugin to figure out the same the hard way.
snoopysecurity
commented
4 years ago Hey @vvnsk I think there is already an option to escape HTML (https://github.com/CodeSeven/toastr#escape-html-characters) did you try this?
vvnsk
commented
4 years ago @snoopysecurity I haven't tried that, but that seems to be the solution to my concern. Thank you very much!
Steps to Reproduce: Send javascript in message
Expected Result: javascript code should be considered as string
Actual Result: Code is being executed.