From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
Date: Thu, 10 Apr 2025 23:41:07 +0200
Subject: CVE-2024-6485

Sanitize data[state] avoiding thus XSS

origin: backport, https://github.com/entreprise7pro/bootstrap/commit/769c032fd93d6f2c07599e096a736c5d09c041cf
bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084060
bug: https://www.herodevs.com/vulnerability-directory/cve-2024-6485
---
 js/button.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/js/button.js b/js/button.js
index ff4af20..6569240 100644
--- a/js/button.js
+++ b/js/button.js
@@ -25,6 +25,15 @@
     loadingText: 'loading...'
   }
 
+  Button.prototype.sanitize = function (unsafeText) {
+    return unsafeText
+      .replace(/&/g, '&amp;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#039;');
+  }
+
   Button.prototype.setState = function (state) {
     var d    = 'disabled'
     var $el  = this.$element
@@ -37,7 +46,7 @@
 
     // push to event loop to allow forms to submit
     setTimeout($.proxy(function () {
-      $el[val](data[state] == null ? this.options[state] : data[state])
+      $el[val](data[state] == null ? this.options[state] : this.sanitize(data[state]))
 
       if (state == 'loadingText') {
         this.isLoading = true