fix: use setAttribute instead of innerHTML to prevent xss

camptocamp · Dec 15, 2023 · 89ab00a · 89ab00a
1 parent 993b8f3
commit 89ab00a
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/js/controllers/slidecontent.js b/js/controllers/slidecontent.js
@@ -142,13 +142,15 @@ export default class SlideContent {
 
 					// Support comma separated lists of video sources
 					backgroundVideo.split( ',' ).forEach( source => {
+						const sourceElement = document.createElement( 'source' );
+						sourceElement.setAttribute( 'src', source );
+
 						let type = getMimeTypeFromFile( source );
 						if( type ) {
-							video.innerHTML += `<source src="${source}" type="${type}">`;
-						}
-						else {
-							video.innerHTML += `<source src="${source}">`;
+							sourceElement.setAttribute( 'type', type );
 						}
+
+						video.appendChild( sourceElement );
 					} );
 
 					backgroundContent.appendChild( video );