From ca891b477e32ad789ffe3f215218b18052d22ea4 Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Mon, 8 Jan 2024 10:08:41 -0600
Subject: [PATCH] Fix XSS in default example plugin (#15711)

* Fix XSS in default example plugin
on* html fields are hard to escape properly, avoid putting user input there

* Apply fixes from StyleCI

---------

Co-authored-by: StyleCI Bot <bot@styleci.io>
---
 .../ExamplePlugin/resources/views/settings.blade.php        | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/Plugins/ExamplePlugin/resources/views/settings.blade.php b/app/Plugins/ExamplePlugin/resources/views/settings.blade.php
index 895bfb047b..a93ad4a463 100644
--- a/app/Plugins/ExamplePlugin/resources/views/settings.blade.php
+++ b/app/Plugins/ExamplePlugin/resources/views/settings.blade.php
@@ -18,7 +18,7 @@
             </td>
             <td>
                 <input id="value-{{ $value }}" type="text" name="settings[{{ $name }}]" value="{{ $value }}">
-                <button type="button" onclick="deleteSetting('{{ $name }}')" class="delete-button"><i class="fa fa-trash"></i></button>
+                <button id="delete-{{ $name }}" type="button" onclick="deleteSetting(this.id)" class="delete-button"><i class="fa fa-trash"></i></button>
             </td>
         </tr>
     @empty
@@ -79,8 +79,8 @@
         document.getElementById('new-setting-value').value = '';
     }
 
-    function deleteSetting(name) {
-        document.getElementById('settings-row-' + name).remove();
+    function deleteSetting(nameId) {
+        document.getElementById('settings-row-' + nameId.substring(7)).remove();
     }
 </script>