From bef03a412542fc07fd7082f1e8730599b1176ba9 Mon Sep 17 00:00:00 2001
From: jekkos <jeroen.peelaerts@gmail.com>
Date: Sun, 23 Nov 2025 14:37:23 +0100
Subject: [PATCH] Add DOMpurify + fix XSS

---
 app/Views/partial/header_js.php | 7 +++++++
 package-lock.json               | 8 ++++----
 package.json                    | 1 +
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/app/Views/partial/header_js.php b/app/Views/partial/header_js.php
index 52785f906..7e8268333 100644
--- a/app/Views/partial/header_js.php
+++ b/app/Views/partial/header_js.php
@@ -17,6 +17,13 @@
         document.getElementById('liveclock').innerHTML = moment().format("<?= dateformat_momentjs($config['dateformat'] . ' ' . $config['timeformat']) ?>");
     }
 
+    const notify = $.notify;
+
+    $.notify = function(content, options) {
+        const sanitizedContent = DOMPurify.sanitize(content);
+        return notify(sanitizedContent, options);
+    };
+
     $.notifyDefaults({
         placement: {
             align: "<?= esc($config['notify_horizontal_position'], 'js') ?>",
diff --git a/package-lock.json b/package-lock.json
index f814880cf..9ed4dcf39 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -28,6 +28,7 @@
                 "chartist-plugin-tooltips": "^0.0.17",
                 "clipboard": "^2.0.11",
                 "coffeescript": "^2.7.0",
+                "dompurify": "^3.3.0",
                 "elegant-circles": "github:opensourcepos/elegant-circles#minified",
                 "es6-promise": "^4.2.8",
                 "file-saver": "^2.0.5",
@@ -1486,11 +1487,10 @@
             "integrity": "sha512-ED3jP8saaweFTjeGX8HQPjeC1YYyZs98jGNZx6IiBvxW7JG5v492kamAQB3m2wop07CvU/RQmzcKr6bgcC5D/Q=="
         },
         "node_modules/dompurify": {
-            "version": "3.2.4",
-            "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.2.4.tgz",
-            "integrity": "sha512-ysFSFEDVduQpyhzAob/kkuJjf5zWkZD8/A9ywSp1byueyuCfHamrCBa14/Oc2iiB0e51B+NpxSl5gmzn+Ms/mg==",
+            "version": "3.3.0",
+            "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.0.tgz",
+            "integrity": "sha512-r+f6MYR1gGN1eJv0TVQbhA7if/U7P87cdPl3HN5rikqaBSBxLiCb/b9O+2eG0cxz0ghyU+mU1QkbsOwERMYlWQ==",
             "license": "(MPL-2.0 OR Apache-2.0)",
-            "optional": true,
             "optionalDependencies": {
                 "@types/trusted-types": "^2.0.7"
             }
diff --git a/package.json b/package.json
index 7d2a5d0fa..b33082861 100644
--- a/package.json
+++ b/package.json
@@ -49,6 +49,7 @@
         "chartist-plugin-tooltips": "^0.0.17",
         "clipboard": "^2.0.11",
         "coffeescript": "^2.7.0",
+        "dompurify": "^3.3.0",
         "elegant-circles": "github:opensourcepos/elegant-circles#minified",
         "es6-promise": "^4.2.8",
         "file-saver": "^2.0.5",