sanitize text and links

prevent xss
Countly · kanwarujjaval · Jul 4, 2024 · Jun 26, 2024 · Jul 1, 2024 · Jul 1, 2024
commit 34c7bcba3d0bf188e15def89ad3f22b9a95b2ec6
diff --git a/plugins/star-rating/frontend/public/templates/feedback-popup.html b/plugins/star-rating/frontend/public/templates/feedback-popup.html
@@ -235,15 +235,18 @@
                     links = JSON.parse(response.links);
                 }
                 if(consent && links && finalText){
-links.forEach(function(link) {
-    var regex = new RegExp('\\b' + link.textValue + '\\b', 'g');
-    finalText = finalText.replace(regex, '<a href="' + link.linkValue + '" target="_blank">' + link.textValue + '</a>');
-});
-
+                    //sanitize the text and links
+                    finalText = $("<p>").text(finalText).text();
+                    links.forEach(function (link) {
+                        link.linkValue = $("<p>").text(link.linkValue).text();
+                        link.textValue = $("<p>").text(link.textValue).text();
+                        var regex = new RegExp('\\b' + link.textValue + '\\b', 'g');
+                        finalText = finalText.replace(regex, '<a href="' + link.linkValue + '" target="_blank">' + link.textValue + '</a>');
+                    });
                 }
                 if(consent){
                                 contentEl.removeClass("hidden");
                                $(contentEl).find(".text").html(finalText);
                            var consentChecked = contentEl.find("input").is(":checked");
                            if(consentChecked){
                            $("#cf-submit-button").removeClass("disabled");