Fixed XSS vulnerability in avatarURL in Likes block (#35747)

JuanLucha · ivan-ottinger · web-flow · commit afd269e9b6e0 · 2024-02-19T13:03:05.000+01:00
* Fixed XSS vulnerability in avatarURL in Likes block

* changelog

* Update changelog

---------

Co-authored-by: Ivan Ottinger &lt;25105483+ivan-ottinger@users.noreply.github.com&gt;
diff --git a/projects/plugins/jetpack/changelog/fix-xss-vulnerability-in-like-block b/projects/plugins/jetpack/changelog/fix-xss-vulnerability-in-like-block
@@ -0,0 +1,4 @@
+Significance: patch
+Type: bugfix
+
+Like block: Encode Avatar URLs
diff --git a/projects/plugins/jetpack/modules/likes/queuehandler.js b/projects/plugins/jetpack/modules/likes/queuehandler.js
@@ -241,7 +241,7 @@ function JetpackLikesMessageListener( event ) {
 				if ( newLayout ) {
 					element.innerHTML = `
 					<a href="${ encodeURI( liker.profile_URL ) }" rel="nofollow" target="_parent" class="wpl-liker">
-						<img src="${ liker.avatar_URL }"
+						<img src="${ encodeURI( liker.avatar_URL ) }"
 							alt=""
 							style="width: 28px; height: 28px;" />
 						<span></span>
@@ -250,7 +250,7 @@ function JetpackLikesMessageListener( event ) {
 				} else {
 					element.innerHTML = `
 					<a href="${ encodeURI( liker.profile_URL ) }" rel="nofollow" target="_parent" class="wpl-liker">
-						<img src="${ liker.avatar_URL }"
+						<img src="${ encodeURI( liker.avatar_URL ) }"
 							alt=""
 							style="width: 30px; height: 30px; padding-right: 3px;" />
 					</a>
