]> git.proxmox.com Git - mirror_novnc.git/commit - app/ui.js
projects / mirror_novnc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 41f476a) | patch
Use textContent instead of innerHTML
authorSolly Ross <sross@redhat.com>
Thu, 12 Jan 2017 16:43:35 +0000 (11:43 -0500)
committerSolly Ross <sross@redhat.com>
Thu, 12 Jan 2017 19:47:36 +0000 (14:47 -0500)
commit6048299a138e078aed210f163111698c8c526a13
tree5b48873a37c10c95ff379993f034eb9ef3104d1atree
parent41f476a86357f1404fcca078212c702599bbcc57commit | diff
Use textContent instead of innerHTML

Previously, setting `innerHTML` was used to display the statuses.  These
could include content communicated from the remote VNC server, allowing
the remove VNC server to inject HTML into the noVNC page.

This commit switches all uses of `innerHTML` to use `textContent`, which
is not vulnerable to the HTML injection.
app/ui.js diff | blob | blame | history
tests/input.html diff | blob | blame | history
tests/vnc_perf.html diff | blob | blame | history
tests/vnc_playback.html diff | blob | blame | history
vnc_auto.html diff | blob | blame | history
noVNC mirror