From 3710b7336c43b58cd11a7bb2ff1f9dcbca456c30 Mon Sep 17 00:00:00 2001
From: Muhammed Niyazi Alpay <muhammed@niyazialpay.com>
Date: Fri, 16 Jan 2026 23:53:18 +0300
Subject: [PATCH] Potential fix for code scanning alert no. 2: DOM text
 reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 public/themes/Default/js/bootstrap.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/public/themes/Default/js/bootstrap.js b/public/themes/Default/js/bootstrap.js
index 4eac8e35e..faa473998 100644
--- a/public/themes/Default/js/bootstrap.js
+++ b/public/themes/Default/js/bootstrap.js
@@ -64,6 +64,12 @@ if ("undefined" == typeof jQuery)
         };
         d.VERSION = "3.3.7",
             d.TRANSITION_DURATION = 150,
+            d._isSafeSelector = function(f) {
+                // Allow only simple ID selectors like "#my-alert"
+                if (!f || "string" != typeof f) return !1;
+                return /^#[A-Za-z][A-Za-z0-9\-_:.]*$/.test(f);
+            }
+            ,
             d.prototype.close = function(b) {
                 function c() {
                     g.detach().trigger("closed.bs.alert").remove()
@@ -72,7 +78,8 @@ if ("undefined" == typeof jQuery)
                     , f = e.attr("data-target");
                 f || (f = e.attr("href"),
                     f = f && f.replace(/.*(?=#[^\s]*$)/, ""));
-                var g = a("#" === f ? [] : f);
+                d._isSafeSelector(f) || (f = null);
+                var g = f ? a("#" === f ? [] : f) : a();
                 b && b.preventDefault(),
                 g.length || (g = e.closest(".alert")),
                     g.trigger(b = a.Event("close.bs.alert")),