Fixed notifications titles not html escaped (fixes #1272)

getgrav · Mar 10, 2018 · 7477ab6 · 7477ab6
1 parent 5148231
commit 7477ab6
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,9 @@
 
 1. [](#bugfix)
     * Automatically redirect to new `admin_route` after changing it [#1371](https://github.com/getgrav/grav-plugin-admin/issues/1371)
+    * Added shortcut in Editor for links: CTRL+K / CMD+K [#1279](https://github.com/getgrav/grav-plugin-admin/issues/1279)
+    * Fixed mediapicker field in lists [#1369](https://github.com/getgrav/grav-plugin-admin/issues/1369)
+    * Fixed notifications titles not html escaped [#1272](https://github.com/getgrav/grav-plugin-admin/issues/1272)
 
 # v1.7.0
 ## 03/09/2018

diff --git a/themes/grav/app/updates/notifications.js b/themes/grav/app/updates/notifications.js
@@ -36,10 +36,12 @@ class Notifications {
         }
 
         if (notification.link) {
+            const title = document.createElement('div');
+            title.innerHTML = notification.message;
             content.append(`
                 <li class="single-notification ${hidden}">
                     <span class="badge alert ${notification.type}">${notification.intro_text}</span>
-                    <a target="_blank" href="${notification.link}" title="${notification.message}">${notification.message}</a>
+                    <a target="_blank" href="${notification.link}" title="${(title.textContent || title.innerText || '')}">${notification.message}</a>
                 </li>
             `);
         } else {