commit 4cf6c0797755e85ef7575cbd4c6482b643d2972b
Author: Roy <roy@royvanlunsen.nl>
Date:   Wed Apr 3 14:44:34 2024 +0200

    Dnn.Platform: Prevent XSS attacks through direct access to certain DB columns.

diff --git a/dnnsoftware/Dnn.Platform/0001-Help-prevent-XSS-attacks-through-access-to-database-.patch b/dnnsoftware/Dnn.Platform/0001-Help-prevent-XSS-attacks-through-access-to-database-.patch
new file mode 100644
index 0000000..99b74d3
--- /dev/null
+++ b/dnnsoftware/Dnn.Platform/0001-Help-prevent-XSS-attacks-through-access-to-database-.patch
@@ -0,0 +1,40 @@
+From 999f5e1e7467fc688f00515e14ff247cdeb730d3 Mon Sep 17 00:00:00 2001
+From: Roy <roy@royvanlunsen.nl>
+Date: Wed, 27 Mar 2024 13:38:58 +0100
+Subject: [PATCH 1/2] Help prevent XSS attacks through access to database
+ "displayName" column.
+
+---
+ DNN Platform/Modules/Journal/Scripts/mentionsInput.js           | 2 +-
+ .../admin/personaBar/scripts/permissionGrid.js                  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/DNN Platform/Modules/Journal/Scripts/mentionsInput.js b/DNN Platform/Modules/Journal/Scripts/mentionsInput.js
+index 6672d9694f..064588c833 100644
+--- a/DNN Platform/Modules/Journal/Scripts/mentionsInput.js	
++++ b/DNN Platform/Modules/Journal/Scripts/mentionsInput.js	
+@@ -162,7 +162,7 @@
+ 	        $this.data('ui-autocomplete')._renderItem = function(ul, item) {
+ 	            return $('<li></li>')
+ 	                .data('ui-autocomplete-item', item)
+-	                .append('<a><img src="' + item.avatar + '" /><span class="dn">' + item.displayName + '<span></a>')
++	                .append('<a><img src="' + item.avatar + '" />' + $('<span class="dn"></span>').text(dnn.decodeHTML(item.displayName)) + '</a>')
+ 	                .appendTo(ul);
+ 	        };
+ 
+diff --git a/Dnn.AdminExperience/Library/Dnn.PersonaBar.UI/admin/personaBar/scripts/permissionGrid.js b/Dnn.AdminExperience/Library/Dnn.PersonaBar.UI/admin/personaBar/scripts/permissionGrid.js
+index cca1593c04..e096a53944 100644
+--- a/Dnn.AdminExperience/Library/Dnn.PersonaBar.UI/admin/personaBar/scripts/permissionGrid.js
++++ b/Dnn.AdminExperience/Library/Dnn.PersonaBar.UI/admin/personaBar/scripts/permissionGrid.js
+@@ -109,7 +109,7 @@ if (typeof dnn.controls === "undefined" || dnn.controls === null) { dnn.controls
+             var cols = header.find('>td:not(:first-child)');
+             var row = $('<tr class="dnnItem ' + (table.find('> tr').length % 2 === 0 ? 'dnnGridAltItem' : 'dnnGridItem') + '"></tr>');
+             row.data('key', type == "users" ? data.userId : data.roleId);
+-            row.append('<td class="permissionHeader">' + (type == "users" ? data.displayName : data.roleName) + "</td>");
++            row.append($('<td class="permissionHeader"></td>').text(dnn.decodeHTML(type == "users" ? data.displayName : data.roleName)));
+             for (var i = 0; i < cols.length; i++) {
+                 var headerCol = cols.eq(i);
+                 var permissionId = headerCol.data('permissionId');
+-- 
+2.32.0
+
diff --git a/dnnsoftware/Dnn.Platform/0002-Unverified-.-Help-prevent-XSS-attacks-through-access.patch b/dnnsoftware/Dnn.Platform/0002-Unverified-.-Help-prevent-XSS-attacks-through-access.patch
new file mode 100644
index 0000000..e7c17c8
--- /dev/null
+++ b/dnnsoftware/Dnn.Platform/0002-Unverified-.-Help-prevent-XSS-attacks-through-access.patch
@@ -0,0 +1,26 @@
+From 42ec718703ae82e617ff895d3db93b7ab529c372 Mon Sep 17 00:00:00 2001
+From: Roy <roy@royvanlunsen.nl>
+Date: Wed, 27 Mar 2024 13:39:14 +0100
+Subject: [PATCH 2/2] (Unverified). Help prevent XSS attacks through access to
+ database.
+
+---
+ .../Shared/components/ComposeMessage/ComposeMessage.js          | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/DNN Platform/Website/Resources/Shared/components/ComposeMessage/ComposeMessage.js b/DNN Platform/Website/Resources/Shared/components/ComposeMessage/ComposeMessage.js
+index 4f4d8d0ea3..d0bd4e2549 100644
+--- a/DNN Platform/Website/Resources/Shared/components/ComposeMessage/ComposeMessage.js	
++++ b/DNN Platform/Website/Resources/Shared/components/ComposeMessage/ComposeMessage.js	
+@@ -63,7 +63,7 @@
+ 	    function attachFile(file) {
+             if ($.inArray(file.id, attachments) === -1) {
+                 attachments.push(file.id);
+-                composeMessageDialog.find('.messageAttachments ul').append('<li><a href="#" title="' + file.name + '">' + file.name + '</a><a href="#" class="removeAttachment" title="' + opts.removeText + '"></a></li>');
++                composeMessageDialog.find('.messageAttachments ul').append('<li>' + $('<a href="#"></a>').attr('title', dnn.decodeHTML(file.name)).text(dnn.decodeHTML(file.name)).after('<a href="#" class="removeAttachment" title="' + opts.removeText + '"></a></li>'));
+                 composeMessageDialog.find('.messageAttachments li:last-child .removeAttachment').click(function () {
+                     var index = $.inArray(file.id, attachments);
+                     if (index !== -1) {
+-- 
+2.32.0
+