Browse Source

fix: replace innerHTML with safe DOM methods in termynal.js

lineDataToElements() was building a span via innerHTML with an
unsanitized line.value template literal — an XSS vector if lineData
ever receives user-supplied content. Replaced with createElement +
setAttribute + textContent, which cannot execute injected markup
regardless of input.

Remaining innerHTML usages (container clears and static label strings)
are safe and unchanged.

Some code in this commit was written with assistance from Claude Sonnet 4.6 (AI).
pull/15381/head
beejak 3 months ago
parent
commit
2fa969d91f
  1. 16
      docs/en/docs/js/termynal.js

16
docs/en/docs/js/termynal.js

@ -222,10 +222,18 @@ class Termynal {
*/
lineDataToElements(lineData) {
return lineData.map(line => {
let div = document.createElement('div');
div.innerHTML = `<span ${this._attributes(line)}>${line.value || ''}</span>`;
return div.firstElementChild;
const span = document.createElement('span');
for (let prop in line) {
if (prop === 'class') {
span.className = line[prop];
} else if (prop === 'type') {
span.setAttribute(this.pfx, line[prop]);
} else if (prop !== 'value') {
span.setAttribute(`${this.pfx}-${prop}`, line[prop]);
}
}
span.textContent = line.value || '';
return span;
});
}

Loading…
Cancel
Save