hperrin
commented
6 years ago This is the default behavior in PNotify 3. You can tell PNotify to escape the text and title with text_escape and title_escape.
In PNotify 4, the default behavior has changed, so text is escaped by default. You can tell PNotify not to escape it with textTrusted.
vadym-vorobel
Hi there!
We are using PNotify on our project and we've faced with the security issue in your package. If you are passing a script tag with some script inside - it runs the script. Here is a screencast of the problem: https://drive.google.com/file/d/1DHTHcmVDN5p9SfyhXEuOL2uWteJ82GN2/view
It would be nice to remove script tags from the message body, I think. Does it make sense?
Thanks