Fixed an XSS vulnerability

craftcms · Apr 3, 2023 · 9d0cd0b · 9d0cd0b
1 parent 5b4ca40
commit 9d0cd0b
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,7 @@
 - Fixed a JavaScript error that occurred when closing a disclosure menu within Live Preview. ([#12992](https://github.com/craftcms/cms/issues/12992))
 - Fixed a bug where assets were getting relocated to the root volume folder when renamed. ([#12995](https://github.com/craftcms/cms/issues/12995))
 - Fixed a bug where it wasn’t possible to preview entries on another domain when the system was offline. ([#12979](https://github.com/craftcms/cms/issues/12979))
+- Fixed an XSS vulnerability.
 
 ## 3.8.5 - 2023-03-21
 

diff --git a/src/web/assets/quickpost/dist/QuickPostWidget.js b/src/web/assets/quickpost/dist/QuickPostWidget.js
diff --git a/src/web/assets/quickpost/dist/QuickPostWidget.js.map b/src/web/assets/quickpost/dist/QuickPostWidget.js.map
diff --git a/src/web/assets/quickpost/src/QuickPostWidget.js b/src/web/assets/quickpost/src/QuickPostWidget.js
@@ -94,7 +94,9 @@
 
                   for (var i = 0; i < response.errors[attribute].length; i++) {
                     var error = response.errors[attribute][i];
-                    $('<li>' + error + '</li>').appendTo(this.$errorList);
+                    $('<li/>', {
+                      text: error,
+                    }).appendTo(this.$errorList);
                   }
                 }
               }