Reflected xss in Notify.js

[DennisKretz]

FYI we have notified you many months ago, by email that there is an vuln in your code, but you did not reply nor fixed the issue. So thats why i'm posting the issue here.

If you think this is already fixed, then see this ticket, as an open disclosure.

Describe the bug It is possible, to run js when triggering an notification, when the notification gets the body/value of the parameter.

 if (title) {
                t = $("<div>").addClass("notify-title").html(title);
                notify.prepend(t);
            }
            m = $("<div>").addClass("notify-message").html(message);
            m.appendTo(notify);

To Reproduce if you have an parameter that triggers an notification for metro, then just put "" into the parameter value. and you should see an alert poping up.

In our case, the problem was when searching for an url with a parameter, and the url was not found it would display the parameters content like " not found"

How to fix We fixed it, by just replacing the ".html" to ".text"

Additional context Thanks for reading, if you have any questions, then feel free to ask.