diff options
author | David Mehren | 2020-12-26 14:40:00 +0100 |
---|---|---|
committer | David Mehren | 2020-12-27 10:14:27 +0100 |
commit | c32b1cf42b8ec96571815efc4a22a2207519807d (patch) | |
tree | 67d1739e5b60b193a4cbd0d97c0c9154a697a9a2 /public | |
parent | 89ecff4b1c198b8ecaa09e87369160a19d537b89 (diff) |
Don't store mermaid diagrams in innerHTML
Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements.
Using `.text()` instead mitigates this issue.
Signed-off-by: David Mehren <git@herrmehren.de>
Diffstat (limited to '')
-rw-r--r-- | public/js/extra.js | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/public/js/extra.js b/public/js/extra.js index 49dd23ce..44db742a 100644 --- a/public/js/extra.js +++ b/public/js/extra.js @@ -386,7 +386,7 @@ export function finishView (view) { window.mermaid.mermaidAPI.parse($value.text()) $ele.addClass('mermaid') - $ele.html($value.text()) + $ele.text($value.text()) window.mermaid.init(undefined, $ele) } catch (err) { var errormessage = err |