Filter the attr to avoid possible XSS vulnerability Fix #1132

AmauriC · Jul 11, 2023 · c4c2fcf · c4c2fcf
1 parent 2565f0e
commit c4c2fcf
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/tarteaucitron.js b/tarteaucitron.js
@@ -2083,7 +2083,13 @@ var tarteaucitron = {
         return elem.getAttribute('height') || elem.clientHeight;
     },
     "getElemAttr": function (elem, attr) {
-        return elem.getAttribute('data-' + attr) || elem.getAttribute(attr);
+        var attribute = elem.getAttribute('data-' + attr) || elem.getAttribute(attr);
+
+        if (typeof attribute === 'string') {
+            return tarteaucitron.fixSelfXSS(attribute);
+        }
+
+        return "";
     },
     "addClickEventToId": function (elemId, func) {
         tarteaucitron.addClickEventToElement(document.getElementById(elemId), func);