Replace usage of .html(...) with .text(...) where possible;
Wrap input with fs.sanitize(...) where .html() must be used.
Change-Id: I39e20b6fb561b3a1801579ca6a86a5f94483e4a9
diff --git a/web/gui/src/main/webapp/app/view/app/app.js b/web/gui/src/main/webapp/app/view/app/app.js
index 131c56f..a71cb2d 100644
--- a/web/gui/src/main/webapp/app/view/app/app.js
+++ b/web/gui/src/main/webapp/app/view/app/app.js
@@ -126,7 +126,7 @@
bottom = container.append('div').classed('bottom', true);
function nTable(hdr, cls) {
- bottom.append('h2').html(hdr);
+ bottom.append('h2').text(hdr);
bottom.append('div').classed(cls, true).append('table');
}
@@ -139,7 +139,7 @@
var tr = tbody.append('tr');
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', friendlyProps[index] + ':');
@@ -147,6 +147,7 @@
}
function urlize(u) {
+ u = fs.sanitize(u);
return '<a href="' + u + '" target="_blank">' + u + '</a>';
}
@@ -182,7 +183,7 @@
tbody = table.append('tbody');
items.forEach(function (item) {
- tbody.append('tr').append('td').html(item);
+ tbody.append('tr').append('td').text(item);
});
}
@@ -289,7 +290,8 @@
var content = ds.createDiv();
content.append('p').text(fs.cap(action) + ' ' + itemId);
if (strongWarning[itemId]) {
- content.append('p').html(discouragement).classed('strong', true);
+ content.append('p').html(fs.sanitize(discouragement))
+ .classed('strong', true);
}
return content;
}