Replace innerHTML with innerText

vidartf · vidartf · commit d68aed3fea36 · 2021-10-05T12:47:34.000+01:00
For any content where the user can potentially influence the content.
diff --git a/packages/labextension/src/widget.ts b/packages/labextension/src/widget.ts
@@ -241,9 +241,11 @@ namespace Private {
         <button class="nbdime-export" style="display: none">Export diff</button>
       </div>
       <div class=nbdime-header-banner>
-        <span class="nbdime-header-base">${baseLabel}</span>
-        <span class="nbdime-header-remote">${remoteLabel}</span>
+        <span class="nbdime-header-base"></span>
+        <span class="nbdime-header-remote"></span>
       </div>`;
+    (node.getElementsByClassName("nbdime-header-base")[0] as HTMLSpanElement).innerText = baseLabel;
+    (node.getElementsByClassName("nbdime-header-remote")[0] as HTMLSpanElement).innerText = remoteLabel;
 
     return new Widget({node});
   }
diff --git a/packages/nbdime/src/common/util.ts b/packages/nbdime/src/common/util.ts
@@ -298,7 +298,7 @@ function buildSelect(options: string[], select?: HTMLSelectElement): HTMLSelectE
   }
   for (let option of options) {
     let opt = document.createElement('option');
-    opt.value = opt.innerHTML = option;
+    opt.value = opt.innerText = option;
     select.appendChild(opt);
   }
   return select;
diff --git a/packages/webapp/src/app/diff.ts b/packages/webapp/src/app/diff.ts
@@ -182,11 +182,14 @@ function onDiffRequestCompleted(data: any) {
  */
 function onDiffRequestFailed(response: string) {
   console.log('Diff request failed.');
-  let root = document.getElementById('nbdime-root');
+  const root = document.getElementById('nbdime-root');
   if (!root) {
     throw new Error('Missing root element "nbidme-root"');
   }
-  root.innerHTML = '<pre>' + response + '</pre>';
+  const pre = document.createElement('pre');
+  pre.innerText = response;
+  root.innerHTML = '';
+  root.appendChild(pre);
   diffWidget = null;
   toggleSpinner(false);
 }
diff --git a/packages/webapp/src/app/merge.ts b/packages/webapp/src/app/merge.ts
@@ -177,7 +177,10 @@ function onMergeRequestFailed(response: string) {
   if (!root) {
     throw new Error('Missing root element "nbidme-root"');
   }
-  root.innerHTML = '<pre>' + response + '</pre>';
+  const pre = document.createElement('pre');
+  pre.innerText = response;
+  root.innerHTML = '';
+  root.appendChild(pre);
   mergeWidget = null;
   toggleSpinner(false);
 }

Original file line number	Diff line number	Diff line change
`@@ -298,7 +298,7 @@ function buildSelect(options: string[], select?: HTMLSelectElement): HTMLSelectE`
`298`	`298`	`}`
`299`	`299`	`for (let option of options) {`
`300`	`300`	`let opt = document.createElement('option');`
`301`		`- opt.value = opt.innerHTML = option;`
	`301`	`+ opt.value = opt.innerText = option;`
`302`	`302`	`select.appendChild(opt);`
`303`	`303`	`}`
`304`	`304`	`return select;`
Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,10 @@ function onMergeRequestFailed(response: string) {`
`177`	`177`	`if (!root) {`
`178`	`178`	`throw new Error('Missing root element "nbidme-root"');`
`179`	`179`	`}`
`180`		`- root.innerHTML = '<pre>' + response + '</pre>';`
	`180`	`+ const pre = document.createElement('pre');`
	`181`	`+ pre.innerText = response;`
	`182`	`+ root.innerHTML = '';`
	`183`	`+ root.appendChild(pre);`
`181`	`184`	`mergeWidget = null;`
`182`	`185`	`toggleSpinner(false);`
`183`	`186`	`}`