GitHub/noVNC
1
0
Fork 0
mirror of https://github.com/novnc/noVNC.git synced 2026-06-08 05:14:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use textContent instead of innerHTML

Browse Source 
Previously, setting `innerHTML` was used to display the statuses.  These
could include content communicated from the remote VNC server, allowing
the remove VNC server to inject HTML into the noVNC page.

This commit switches all uses of `innerHTML` to use `textContent`, which
is not vulnerable to the HTML injection.
This commit is contained in:
Solly Ross
2017-01-12 11:43:35 -05:00
parent da82b3426c
commit 15ce2f71eb
10 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
include/ui.js
View File

@@ -285,7 +285,7 @@ var UI;
if (typeof(msg) !== 'undefined') {
$D('noVNC_control_bar').setAttribute("class", klass);
$D('noVNC_status').innerHTML = msg;
$D('noVNC_status').textContent = msg;
}
UI.updateVisualState();
@@ -360,9 +360,9 @@ var UI;
clearTimeout(UI.popupStatusTimeout);
if (typeof text === 'string') {
psp.innerHTML = text;
psp.textContent = text;
} else {
psp.innerHTML = $D('noVNC_status').innerHTML;
psp.textContent = $D('noVNC_status').textContent;
}
psp.style.display = "block";
psp.style.left = window.innerWidth/2 -