summaryrefslogtreecommitdiff
path: root/public/js
diff options
context:
space:
mode:
authorDavid Mehren2020-12-26 14:40:00 +0100
committerDavid Mehren2020-12-27 10:14:27 +0100
commitc32b1cf42b8ec96571815efc4a22a2207519807d (patch)
tree67d1739e5b60b193a4cbd0d97c0c9154a697a9a2 /public/js
parent89ecff4b1c198b8ecaa09e87369160a19d537b89 (diff)
Don't store mermaid diagrams in innerHTML
Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements. Using `.text()` instead mitigates this issue. Signed-off-by: David Mehren <git@herrmehren.de>
Diffstat (limited to 'public/js')
-rw-r--r--public/js/extra.js2
1 files changed, 1 insertions, 1 deletions
diff --git a/public/js/extra.js b/public/js/extra.js
index 49dd23ce..44db742a 100644
--- a/public/js/extra.js
+++ b/public/js/extra.js
@@ -386,7 +386,7 @@ export function finishView (view) {
window.mermaid.mermaidAPI.parse($value.text())
$ele.addClass('mermaid')
- $ele.html($value.text())
+ $ele.text($value.text())
window.mermaid.init(undefined, $ele)
} catch (err) {
var errormessage = err