diff --git a/bin/scripts/fix-data/reports_snapshot_flag.js b/bin/scripts/fix-data/reports_snapshot_flag.js
index 50b386ea764..8b39636dbd7 100644
--- a/bin/scripts/fix-data/reports_snapshot_flag.js
+++ b/bin/scripts/fix-data/reports_snapshot_flag.js
@@ -52,8 +52,8 @@ Promise.all([pluginManager.dbConnection("countly")]).then(async function([countl
console.log('Finished');
countlyDb.close();
process.exit();
- }).catch(function(err) {
- console.log('Error', err);
+ }).catch(function() {
+ console.log('Unknown Error while executing script');
countlyDb.close();
process.exit();
});
diff --git a/plugins/star-rating/frontend/public/templates/feedback-popup.html b/plugins/star-rating/frontend/public/templates/feedback-popup.html
index 3c1e2bb5bff..b10699659dc 100644
--- a/plugins/star-rating/frontend/public/templates/feedback-popup.html
+++ b/plugins/star-rating/frontend/public/templates/feedback-popup.html
@@ -193,7 +193,11 @@
var h = d.getHours();
var dow = d.getDay();
var symbol = 'emoji';
-
+ var encodeHtml = function (html) {
+ var div = document.createElement('div');
+ div.innerText = html;
+ return div.innerHTML;
+ };
if (!platform || (platform === "undefined") || (platform === "null")) {
platform = "Web";
}
@@ -235,11 +239,14 @@
links = JSON.parse(response.links);
}
if(consent && links && finalText){
-links.forEach(function(link) {
- var regex = new RegExp('\\b' + link.textValue + '\\b', 'g');
- finalText = finalText.replace(regex, '' + link.textValue + '');
-});
-
+ //sanitize the text and links
+ finalText = encodeHtml(finalText);
+ links.forEach(function (link) {
+ link.linkValue = encodeHtml(link.linkValue);
+ link.textValue = encodeHtml(link.textValue);
+ var regex = new RegExp('\\b' + link.textValue + '\\b', 'g');
+ finalText = finalText.replace(regex, '' + link.textValue + '');
+ });
}
if(consent){
contentEl.removeClass("hidden");