Thanks for the explaination! This is Lorenzo, main author of Janus.

Looking at the details, this sounds more like an issue with the sample demo page, rather than a problem in the Janus server codebase instead. We do have some escaping for messages, but we indeed forgot to do the same for display names (which as you pointed out are inserted in the HTML code directly too), so this should be an easy fix.

Unless you think this is more of an issue in the server side instead, which allows such IDs to be used in the first place? In fact, while it's easy for us to fix it in our demo, there may be other implementations doing something similar and not knowing this might be an issue: limiting the scope of display names would help here, but could be overly constraining. As an alternative, we can simply add some documentation for the plugin that explains this can happen.

As a side note, what's the proper etiquette when submitting patches to fix the problem? Creating a pull request that describes the issue and the fix, and crediting the reporter? Thanks!

I confirm there s no issue with server side only on client side where the payload is executed, glad to hear from your side good luck for the fix

You can refer to this issue https://github.com/netbox-community/netbox/issues/7788 I guess the same process is followed by everyone

Ack, will do it, thanks! I'm working on a patch right now, so it should hopefully be ready soon.