From 7b43f64e87b242df29111d431c2aa4da0176671b Mon Sep 17 00:00:00 2001
From: billz <billzimmerman@gmail.com>
Date: Wed, 5 Apr 2023 17:03:12 +0200
Subject: [PATCH] Code scan fix: escape text before interpreting as html

---
 app/js/custom.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/js/custom.js b/app/js/custom.js
index 6c239840..40e181bc 100644
--- a/app/js/custom.js
+++ b/app/js/custom.js
@@ -322,11 +322,11 @@ $('#ovpn-userpw,#ovpn-certs').on('click', function (e) {
 });
 
 $('#js-system-reset-confirm').on('click', function (e) {
-    var progressHtml = $('#js-system-reset-confirm').attr('data-message');
+    var progressText = $('#js-system-reset-confirm').attr('data-message');
     var successHtml = $('#system-reset-message').attr('data-message');
     var closeHtml = $('#js-system-reset-cancel').attr('data-message');
     var csrfToken = $('meta[name=csrf_token]').attr('content');
-    progressHtml += '<i class="fas fa-cog fa-spin ml-2"></i>';
+    var progressHtml = $('<div>').text(progressText).html() + '<i class="fas fa-cog fa-spin ml-2"></i>';
     $('#system-reset-message').html(progressHtml);
     $.post('ajax/networking/do_sys_reset.php?',{'csrf_token':csrfToken},function(data){
         setTimeout(function(){