From b93359bcaf77fd1bd4b295eef06239b9c3934ed8 Mon Sep 17 00:00:00 2001
From: jekkos <jeroen.peelaerts@gmail.com>
Date: Tue, 3 Mar 2026 22:28:32 +0100
Subject: [PATCH] Fix XSS vulnerability in attributes (#3965)

---
 app/Views/attributes/form.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Views/attributes/form.php b/app/Views/attributes/form.php
index 8e216af8e..46afb3d23 100644
--- a/app/Views/attributes/form.php
+++ b/app/Views/attributes/form.php
@@ -192,7 +192,7 @@
                 }
             }
 
-            $('#definition_list_group').append('<li class="list-group-item">' + value + '<a href="javascript:void(0);"><span class="glyphicon glyphicon-trash pull-right"></span></a></li>')
+            $('#definition_list_group').append('<li class="list-group-item">' + DOMPurify.sanitize(value) + '<a href="javascript:void(0);"><span class="glyphicon glyphicon-trash pull-right"></span></a></li>')
                 .find(':last-child a').click(remove_attribute_value);
             $('#definition_value').val('');
         };