Fix code scanning alert #520: Client-side cross-site scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
bitpredator · Sep 21, 2024 · 32c6ab1 · 32c6ab1
1 parent 2e53df6
commit 32c6ab1
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/package.json b/package.json
@@ -1,5 +1,8 @@
 {
   "devDependencies": {
     "eslint": "^9.10.0"
+  },
+  "dependencies": {
+    "dompurify": "^3.1.6"
   }
 }
diff --git a/server-data/resources/[esx_addons]/esx_garage/nui/js/app.js b/server-data/resources/[esx_addons]/esx_garage/nui/js/app.js
@@ -1,3 +1,5 @@
+import DOMPurify from 'dompurify';
+
 $(window).ready(function() {
 	window.addEventListener('message', function(event) {
 		const data = event.data;
@@ -52,13 +54,13 @@ $(window).ready(function() {
 			}
 
 			$('.vehicle-listing').html(function(_i, text) {
-				return text.replace('Model', data.locales.veh_model);
+				return text.replace('Model', DOMPurify.sanitize(data.locales.veh_model));
 			});
 			$('.vehicle-listing').html(function(_i, text) {
-				return text.replace('Plate', data.locales.veh_plate);
+				return text.replace('Plate', DOMPurify.sanitize(data.locales.veh_plate));
 			});
 			$('.vehicle-listing').html(function(_i, text) {
-				return text.replace('Condition', data.locales.veh_condition);
+				return text.replace('Condition', DOMPurify.sanitize(data.locales.veh_condition));
 			});
 		}
 		else if (data.hideAll) {