From 3a48b30f3021f03809cabf2b2c42b9c63b6b03be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adri=C3=A0=20Casaj=C3=BAs?= <adria.casajus@proton.ch>
Date: Fri, 13 May 2022 16:55:45 +0200
Subject: [PATCH] Fix: Sanitize directory name before displaying it to the user

---
 templates/dashboard/directory.html | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/templates/dashboard/directory.html b/templates/dashboard/directory.html
index 3faa66df..a0bd842d 100644
--- a/templates/dashboard/directory.html
+++ b/templates/dashboard/directory.html
@@ -197,14 +197,16 @@
     $(".delete-dir").on("click", function (e) {
       let directory = $(this).parent().find(".dir-name").val();
 
-      let that = $(this);
-      let message = `All aliases associated with <b>${directory}</b> directory will also be deleted. ` +
+      const unsanitizedMessage = `All aliases associated with <b>${directory}</b> directory will also be deleted. ` +
         `As a deleted directory can't be used by someone else, deleting a directory doesn't reset your directory quota. ` +
         `Your directory quota will be {{ current_user.directory_quota }} after the deletion, ` +
         " please confirm.";
+      const element = document.createElement('div');
+      element.innerText = unsanitizedMessage;
+      const sanitizedMessage = element.innerHTML;
 
       bootbox.confirm({
-        message: message,
+        message: sanitizedMessage,
         buttons: {
           confirm: {
             label: 'Yes, delete it',
@@ -215,9 +217,9 @@
             className: 'btn-outline-primary'
           }
         },
-        callback: function (result) {
+        callback: (result) => {
           if (result) {
-            that.closest("form").submit();
+            this.closest("form").submit();
           }
         }
       })