From 69ddc959ac9177df74218e86091dd13ae4e99485 Mon Sep 17 00:00:00 2001
From: Fomafix <fomafix@googlemail.com>
Date: Mon, 24 Apr 2023 09:43:39 +0000
Subject: [PATCH] Use Unicode '\u00A0' instead of HTML '&#160;'

The .html() can replaced by .text() which avoids a possible JavaScript
injection by a malicious message.

Change-Id: Iffdf13299db6fb4ccd8a35b9df4c2f235646ea9d
---
 resources/js/ext.uls.displaysettings.js | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/resources/js/ext.uls.displaysettings.js b/resources/js/ext.uls.displaysettings.js
index d8407986..ba88ddd2 100644
--- a/resources/js/ext.uls.displaysettings.js
+++ b/resources/js/ext.uls.displaysettings.js
@@ -199,8 +199,7 @@
 						$( '<p>' ).append(
 							$( '<span>' )
 								.addClass( 'uls-display-settings-anon-label' )
-								// .html() is needed for correct parsing of the nbsp
-								.html( $.i18n( 'ext-uls-display-settings-anon-label' ) + '&#160;' ),
+								.text( $.i18n( 'ext-uls-display-settings-anon-label' ) + '\u00A0' ),
 							$( '<span>' )
 								.text( $.i18n( 'ext-uls-display-settings-anon-same-as-content', autonym ) )
 						),