From c9c8ee5556c0d3acc95e8c38e65e9f73eac452bc Mon Sep 17 00:00:00 2001
From: Panagiotis Papadopoulos <pano_90@gmx.net>
Date: Wed, 29 Jan 2025 10:07:40 +0100
Subject: [PATCH] fix(setup): use safer `text` method instead of html to
 prevent possible XSS

see also https://api.jquery.com/html/
under "Additional Notes":
"Do not use these methods to insert strings obtained from untrusted sources such as URL query parameters, cookies, or form inputs. Doing so can introduce cross-site-scripting (XSS) vulnerabilities. Remove or escape any user input before adding content to the document. "

fixes #1072
---
 src/public/app/setup.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/public/app/setup.ts b/src/public/app/setup.ts
index 6bb44f2e8..ec389c793 100644
--- a/src/public/app/setup.ts
+++ b/src/public/app/setup.ts
@@ -110,7 +110,7 @@ async function checkOutstandingSyncs() {
 }
 
 function showAlert(message: string) {
-    $("#alert").html(message);
+    $("#alert").text(message);
     $("#alert").show();
 }