Hii @Hackwar this PR is ready for review.
Could you please take a look when you have time? Let me know if you have any questions or suggestions. Thanks!

How this can actually being exploited within the core? Can you provide some testing instructions how we can reproduce the issue you are trying to fix?

Hii @laoneo Thanks For Review
Here is Explanation

Explanation of Fix:

The change implemented here sanitizes the HTML content generated by qr.createImgTag(4) before it is inserted into the DOM.

Before the Change:

elTarget.innerHTML = qr.createImgTag(4);

This approach directly inserts the raw HTML output from qr.createImgTag(4) into the DOM. If this function can be influenced by untrusted input (e.g., user input or external data), it could potentially introduce security vulnerabilities such as Cross-Site Scripting (XSS). This would allow an attacker to inject malicious JavaScript (e.g., via <script> tags or event handlers) into the page, leading to the execution of arbitrary scripts in the user's browser. For example, an attacker could steal cookies, session tokens, or perform actions on behalf of the user.

After the Change:

elTarget.innerHTML = Joomla.sanitizeHtml(qr.createImgTag(4));

By using Joomla.sanitizeHtml(), we ensure that any potentially dangerous content (like <script> tags, event handlers, or inline JavaScript) is stripped from the generated HTML. This significantly reduces the risk of XSS attacks and ensures the content inserted into the page is safe.

Thank

But we need some testing instructions to actually see what for a bug it fixes.

I have tested this item ✅ successfully on e57055f

code review

Hii @brianteeman
Is there Anything Else is Required From My Side?
Thanks

The actual markup for innerHTML is not userprovided, there is no vector for an XSS here.

I suggest to close the PR.

Nevertheless: thank you!