pad_impexp: Use jQuery to build the import failure popup

This reduces the chances of accidentally introducing an XSS vulnerability.
2021-02-07 20:52:28 -05:00 · 2021-02-07 20:52:28 -05:00 · cc52811cd0
parent d869d96a2b
commit cc52811cd0
1 changed files with 6 additions and 3 deletions
--- a/src/static/js/pad_impexp.js
+++ b/src/static/js/pad_impexp.js
@ -84,9 +84,12 @@ const padimpexp = (() => {
    const msg = html10n.get(`pad.impexp.${known.indexOf(status) !== -1 ? status : 'copypaste'}`);

    const showError = (fade) => {
-      $('#importmessagefail').html(
-          `<strong style="color: red">${html10n.get('pad.impexp.importfailed')}:</strong> ` +
-          `${msg}`)[(fade ? 'fadeIn' : 'show')]();
+      const popup = $('#importmessagefail').empty()
+          .append($('<strong>')
+              .css('color', 'red')
+              .text(`${html10n.get('pad.impexp.importfailed')}: `))
+          .append(document.createTextNode(msg));
+      popup[(fade ? 'fadeIn' : 'show')]();
    };

    if ($('#importexport .importmessage').is(':visible')) {