81497efd55
Previously we were using innerHTML to insert user-generated content (usernames) into the document. While we were sanitizing these correctly, it was hard to tell that we were and required a level of knowledge about what was kept where (e.g. were we getting the usernames from the sanitized cache or from an unsanitized event?) By replacing innerHTML with innerText, this commit removes the risk of someone making a mistake like using the wrong variable and introducing XSS. It also makes the code more obviously secure Unfortunately, w2overlay doesn't support using any property that is not "html" to provide a message, so we can't directly use innerText. For now I'll move the sanitization process directly above where we set the message to make it obvious, but for this reason (and typescript) we should consider replacing w2overlay in the near future Signed-off-by: Skyler Grey <skyler.grey@collabora.com> Change-Id: If935dc2d765dd5e345ce760cad88386ea98d97b4 |
||
|---|---|---|
| .. | ||
| btns.css | ||
| color-palette-dark.css | ||
| color-palette.css | ||
| cool.css | ||
| device-desktop.css | ||
| device-mobile.css | ||
| device-tablet.css | ||
| editor.css | ||
| iframedialog.css | ||
| impress-mobile.css | ||
| impress.css | ||
| infobar.css | ||
| jquery-ui-lightness.css | ||
| jsdialogs.css | ||
| jssidebar.css | ||
| leaflet-spinner.css | ||
| leaflet.css | ||
| menubar.css | ||
| mobilewizard.css | ||
| notebookbar.css | ||
| override-smartmenus.css | ||
| override-vex.css | ||
| partsPreviewControl.css | ||
| searchControl.css | ||
| selectionMarkers.css | ||
| sidebar.css | ||
| spreadsheet.css | ||
| toolbar.css | ||
| w2ui-1.5.rc1.css | ||
| welcome.css | ||
| writer-mobile.css | ||
| writer.css | ||