Execution of script in message
vvnsk opened this issue · comments
Please accept the PR to fix the below issue 3e70ccf
It is up to you as developer to santize the data you are sending to a plugin/function. Since you are the one creating the application, you should clean any data before you pass it on.
Agreed, Although i feel the necessity to educate the developers to sanitize, By mentioning the same in Read me, or handling the same in the plugin/function.
The issue is a potential threat to cross site scripting and I don't want developers using the Plugin to figure out the same the hard way.
Hey @vvnsk I think there is already an option to escape HTML (https://github.com/CodeSeven/toastr#escape-html-characters) did you try this?
@snoopysecurity I haven't tried that, but that seems to be the solution to my concern. Thank you very much!