From e48b0c90f3a5e946afe4358be570b15c8b3c3fca Mon Sep 17 00:00:00 2001
From: Kaj Kowalski <dev@kajkowalski.nl>
Date: Sun, 18 May 2025 23:37:40 +0200
Subject: [PATCH] Potential fix for code scanning alert no. 3: DOM text
 reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 dashboard_project/templates/base.html | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/dashboard_project/templates/base.html b/dashboard_project/templates/base.html
index 27ef9eb..74f0507 100644
--- a/dashboard_project/templates/base.html
+++ b/dashboard_project/templates/base.html
@@ -299,6 +299,15 @@
             });
 
             function createToast(messageText, messageTags) {
+              function escapeHtml(unsafe) {
+                return unsafe
+                  .replace(/&/g, "&amp;")
+                  .replace(/</g, "&lt;")
+                  .replace(/>/g, "&gt;")
+                  .replace(/"/g, "&quot;")
+                  .replace(/'/g, "&#039;");
+              }
+
               let toastClass = "";
               let autohide = true;
               let delay = 5000;
@@ -329,7 +338,7 @@
                             <button type="button" class="btn-close ${toastClass.includes("text-white") ? "btn-close-white" : ""}" data-bs-dismiss="toast" aria-label="Close"></button>
                         </div>
                         <div class="toast-body">
-                            ${messageText}
+                            ${escapeHtml(messageText)}
                         </div>
                     </div>`;