From dce336f660600cae7761d2a263b9d0fc3fb9cacf Mon Sep 17 00:00:00 2001
From: shadrak gurupnor <gurupnor.shadrak@gmail.com>
Date: Wed, 2 Feb 2022 11:21:06 +0530
Subject: [PATCH] fix: added regex for alerts

---
 frappe/public/js/frappe/utils/common.js | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/frappe/public/js/frappe/utils/common.js b/frappe/public/js/frappe/utils/common.js
index b324cecd39..1f3558b367 100644
--- a/frappe/public/js/frappe/utils/common.js
+++ b/frappe/public/js/frappe/utils/common.js
@@ -259,8 +259,16 @@ frappe.utils.xss_sanitise = function (string, options) {
 		'/': '&#x2F;'
 	};
 	const REGEX_SCRIPT = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi; // used in jQuery 1.7.2 src/ajax.js Line 14
+	const REGEX_ALERT = /confirm\(.*\)|alert\(.*\)|prompt\(.*\)/gi; // captures alert, confirm, prompt
 	options = Object.assign({}, DEFAULT_OPTIONS, options); // don't deep copy, immutable beauty.
 
+	// Rule 3 - TODO: Check event handlers?
+	// script and alert should be checked first or else it will be escaped
+	if (options.strategies.includes('js')) {
+		sanitised = sanitised.replace(REGEX_SCRIPT, "");
+		sanitised = sanitised.replace(REGEX_ALERT, "");
+	}
+
 	// Rule 1
 	if (options.strategies.includes('html')) {
 		for (let char in HTML_ESCAPE_MAP) {
@@ -270,11 +278,6 @@ frappe.utils.xss_sanitise = function (string, options) {
 		}
 	}
 
-	// Rule 3 - TODO: Check event handlers?
-	if (options.strategies.includes('js')) {
-		sanitised = sanitised.replace(REGEX_SCRIPT, "");
-	}
-
 	return sanitised;
 }