vuln_patch/dnnsoftware/Dnn.Platform/0002-Unverified-.-Help-prevent-XSS-attacks-through-access.patch

From 42ec718703ae82e617ff895d3db93b7ab529c372 Mon Sep 17 00:00:00 2001
From: Roy <roy@royvanlunsen.nl>
Date: Wed, 27 Mar 2024 13:39:14 +0100
Subject: [PATCH 2/2] (Unverified). Help prevent XSS attacks through access to
 database.

---
 .../Shared/components/ComposeMessage/ComposeMessage.js          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/DNN Platform/Website/Resources/Shared/components/ComposeMessage/ComposeMessage.js b/DNN Platform/Website/Resources/Shared/components/ComposeMessage/ComposeMessage.js
index 4f4d8d0ea3..d0bd4e2549 100644
--- a/DNN Platform/Website/Resources/Shared/components/ComposeMessage/ComposeMessage.js	
+++ b/DNN Platform/Website/Resources/Shared/components/ComposeMessage/ComposeMessage.js	
@@ -63,7 +63,7 @@
 	    function attachFile(file) {
             if ($.inArray(file.id, attachments) === -1) {
                 attachments.push(file.id);
-                composeMessageDialog.find('.messageAttachments ul').append('<li><a href="#" title="' + file.name + '">' + file.name + '</a><a href="#" class="removeAttachment" title="' + opts.removeText + '"></a></li>');
+                composeMessageDialog.find('.messageAttachments ul').append('<li>' + $('<a href="#"></a>').attr('title', dnn.decodeHTML(file.name)).text(dnn.decodeHTML(file.name)).after('<a href="#" class="removeAttachment" title="' + opts.removeText + '"></a></li>'));
                 composeMessageDialog.find('.messageAttachments li:last-child .removeAttachment').click(function () {
                     var index = $.inArray(file.id, attachments);
                     if (index !== -1) {
-- 
2.32.0