Hi,

I don't know if this is intended or not, but html characters aren't escaped in the notifications. This can lead to some weird behavior, or even JS injection.

Steps to reproduce :

// Ok 
angular.element('body').injector().get('LxNotificationService').info('Price should be > 5€');

// Not ok - Display "5€"
angular.element('body').injector().get('LxNotificationService').info('<Price should be > 5€');

// Not ok - Display ""
angular.element('body').injector().get('LxNotificationService').info('<Price should be = 5€');

// Not ok - popup shows up
angular.element('body').injector().get('LxNotificationService').info('<script>alert(1)</script>');

Hi Alexandre,

Thank you for your notice.
It is in fact intended. This is meant to be able to display HTML formatted notifications.

As you are the one responsible for what's displayed in these notifications, I can only recommend you to strip any unwanted character from the text you give to the notification service if you are not sure of what may be in there.

Hi Clément,

Thank you for that quick answer. I'll strip my data.