When we receive an error message from the server to display in the popup extension, we should be receiving strictly text. Instead, we are receiving formatted HTML. This forces us to use .innerHTML instead of .value or .innerText, opening the gates for potential cross-site scripting attacks. We should only receive text to display to the user so we don't have to use this.
Steps to reproduce:
type invalid claim and link
hit the 'Cite' button
Expected results:
The error modal displays, and the text is unformatted.
Actual results:
The error modal displays, along with specific formatting inside of the error message field textbox.
When we receive an error message from the server to display in the popup extension, we should be receiving strictly text. Instead, we are receiving formatted HTML. This forces us to use .innerHTML instead of .value or .innerText, opening the gates for potential cross-site scripting attacks. We should only receive text to display to the user so we don't have to use this.
Steps to reproduce:
Expected results:
Actual results: