From ba36c91c38115e3b3b7d5888493541ac4bb9ccd7 Mon Sep 17 00:00:00 2001
From: btangmu <thomasbishop@wenlin.com>
Date: Wed, 22 Nov 2023 10:32:42 -0500
Subject: [PATCH] CLDR-17248 Measure vote timing; log times to console;
 refactor to use fetch

-Make cldrVote.CLDR_VOTE_DEBUG true; log times to console

-Refactor to use modern cldrAjax.doFetch instead of legacy cldrAjax.sendXhr

-Reduce very long functions and nested subroutines

-Sanitize error message with new method makeSafe to avoid security warning

-Comments
---
 tools/cldr-apps/js/src/esm/cldrVote.mjs | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/tools/cldr-apps/js/src/esm/cldrVote.mjs b/tools/cldr-apps/js/src/esm/cldrVote.mjs
index 742dc5b7a34..83482b93a67 100644
--- a/tools/cldr-apps/js/src/esm/cldrVote.mjs
+++ b/tools/cldr-apps/js/src/esm/cldrVote.mjs
@@ -214,7 +214,7 @@ function handleVoteErr(tr, message, button) {
     "<td colspan='4'>" +
     cldrStatus.stopIcon() +
     " Could not check value. Try reloading the page.<br>" +
-    message +
+    makeSafe(message) +
     "</td>";
   cldrRetry.handleDisconnect("Error submitting a vote");
   button.className = "ichoice-o";
@@ -222,6 +222,19 @@ function handleVoteErr(tr, message, button) {
   cldrSurvey.hideLoader();
 }
 
+/**
+ * Avoid warning, "Directly writing error messages to a webpage without sanitization allows for a cross-site
+ * scripting vulnerability if parts of the error message can be influenced by a user."
+ *
+ * @param {String} s the raw string
+ * @returns the sanitized string
+ */
+function makeSafe(s) {
+  const div = document.createElement("div");
+  div.innerHTML = s;
+  return div.textContent;
+}
+
 function logVote(rowHash, vHash, value) {
   console.log(
     "Vote for " +