From 8765aaaa3ad5fe241e7c32e4f60f9d53b2ba6056 Mon Sep 17 00:00:00 2001
From: Roman Kelesidis <roman25052006.kelesh@gmail.com>
Date: Thu, 26 Oct 2023 15:07:39 +0700
Subject: [PATCH] Use strip_tags() for error message in ajax_die() (#990)

---
 library/ajax/edit_user_profile.php | 2 +-
 library/ajax/posts.php             | 4 ++--
 src/Ajax.php                       | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/library/ajax/edit_user_profile.php b/library/ajax/edit_user_profile.php
index 067d369bd..db570cb43 100644
--- a/library/ajax/edit_user_profile.php
+++ b/library/ajax/edit_user_profile.php
@@ -27,7 +27,7 @@ switch ($field) {
     case 'username':
         $value = clean_username($value);
         if ($err = \TorrentPier\Validate::username($value)) {
-            $this->ajax_die(strip_tags($err));
+            $this->ajax_die($err);
         }
         $this->response['new_value'] = $this->request['value'];
         break;
diff --git a/library/ajax/posts.php b/library/ajax/posts.php
index 4b2ba6953..8d5b80535 100644
--- a/library/ajax/posts.php
+++ b/library/ajax/posts.php
@@ -74,7 +74,7 @@ switch ($this->request['type']) {
 
     case 'reply':
         if (bf($userdata['user_opt'], 'user_opt', 'dis_post')) {
-            $this->ajax_die(strip_tags($lang['RULES_REPLY_CANNOT']));
+            $this->ajax_die($lang['RULES_REPLY_CANNOT']);
         } elseif (!$is_auth['auth_reply']) {
             $this->ajax_die(sprintf($lang['SORRY_AUTH_REPLY'], strip_tags($is_auth['auth_reply_type'])));
         }
@@ -217,7 +217,7 @@ switch ($this->request['type']) {
         }
 
         if (bf($userdata['user_opt'], 'user_opt', 'dis_post')) {
-            $this->ajax_die(strip_tags($lang['RULES_REPLY_CANNOT']));
+            $this->ajax_die($lang['RULES_REPLY_CANNOT']);
         } elseif (!$is_auth['auth_reply']) {
             $this->ajax_die(sprintf($lang['SORRY_AUTH_REPLY'], strip_tags($is_auth['auth_reply_type'])));
         }
diff --git a/src/Ajax.php b/src/Ajax.php
index 72532b776..8d3f85794 100644
--- a/src/Ajax.php
+++ b/src/Ajax.php
@@ -145,7 +145,7 @@ class Ajax
     public function ajax_die(string $error_msg, int $error_code = E_AJAX_GENERAL_ERROR)
     {
         $this->response['error_code'] = $error_code;
-        $this->response['error_msg'] = $error_msg;
+        $this->response['error_msg'] = strip_tags($error_msg);
 
         $this->send();
     }