fix: XSS security issue #1090

Author: bajrangCoder

package.json

@@ -91,6 +91,7 @@
     "cordova": "12.0.0",
     "core-js": "^3.37.1",
     "crypto-js": "^4.2.0",
+    "dompurify": "^3.2.2",
     "escape-string-regexp": "^5.0.0",
     "esprima": "^4.0.1",
     "filesize": "^10.1.2",

src/dialogs/alert.js

@@ -1,3 +1,4 @@
+import DOMPurify from "dompurify";
 import actionStack from "lib/actionStack";
 import restoreTheme from "lib/restoreTheme";
 
@@ -26,7 +27,7 @@ function alert(titleText, message, onhide) {
 	});
 	const messageSpan = tag("span", {
 		className: "message scroll",
-		innerHTML: message,
+		innerHTML: DOMPurify.sanitize(message),
 	});
 	const okBtn = tag("button", {
 		textContent: strings.ok,

src/dialogs/confirm.js

@@ -1,3 +1,4 @@
+import DOMPurify from "dompurify";
 import actionStack from "lib/actionStack";
 import restoreTheme from "lib/restoreTheme";
 
@@ -21,7 +22,7 @@ function confirm(titleText, message, isHTML) {
 		});
 		const messageSpan = tag("span", {
 			className: "message scroll",
-			innerHTML: isHTML ? message : undefined,
+			innerHTML: isHTML ? DOMPurify.sanitize(message) : undefined,
 			textContent: isHTML ? undefined : message,
 		});
 		const okBtn = tag("button", {

src/dialogs/loader.js

@@ -1,3 +1,4 @@
+import DOMPurify from "dompurify";
 import Ref from "html-tag-js/ref";
 import actionStack from "lib/actionStack";
 import restoreTheme from "lib/restoreTheme";
@@ -54,7 +55,7 @@ function create(titleText, message = "", options = {}) {
 				<div
 					ref={$message}
 					className="message"
-					innerHTML={message}
+					innerHTML={DOMPurify.sanitize(message)}
 					style={{ whiteSpace: "pre-wrap" }}
 				></div>
 			</span>
@@ -87,7 +88,7 @@ function create(titleText, message = "", options = {}) {
 			$titleSpan.textContent = title;
 		},
 		setMessage(message) {
-			$message.innerHTML = message;
+			$message.innerHTML = DOMPurify.sanitize(message);
 		},
 		hide,
 		show,