Skip to content

Commit

Permalink
prevent XSS on project page
Browse files Browse the repository at this point in the history
Fixes #115
  • Loading branch information
willnorris committed Apr 20, 2021
1 parent 2ce7de3 commit d698fb9
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion static/js/projects.js
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ var renderProjects = function(projectsList, searchString="") {
noResultDiv.className = 'no-results'

var noResultPara = document.createElement('p')
noResultPara.innerHTML = "No results for " + '<b>' + searchString + '</b>'
noResultPara.innerText = "No results for " + searchString
noResultDiv.appendChild(noResultPara)

var noResultContainer = document.getElementsByClassName("no-results-container")[0]
Expand Down

2 comments on commit d698fb9

@StringManolo
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can preserve markup here is a POC:

<html>
<body>
<input type="text" value="binded">
<div>binded</div>
<script>
/* Return html encoded markup */
const str2entities = str => {
  const aux = document.createElement("div");
  aux.textContent = str;
  return aux.innerHTML;
};


const div = document.querySelector("div");
document.querySelector("input").addEventListener("input", e => {
  div.innerHTML = `No XSS but preserve markup example: <b>${str2entities(e.target.value)}</b>`
});

</script>
</body>
</html>

Screenshot_20210421_023541

@willnorris
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, but the markup wasn't really adding much value and changing it to use innerText was a lot simpler.

Please sign in to comment.