From c32b1cf42b8ec96571815efc4a22a2207519807d Mon Sep 17 00:00:00 2001 From: David Mehren Date: Sat, 26 Dec 2020 14:40:00 +0100 Subject: Don't store mermaid diagrams in innerHTML Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements. Using `.text()` instead mitigates this issue. Signed-off-by: David Mehren --- public/js/extra.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'public/js/extra.js') diff --git a/public/js/extra.js b/public/js/extra.js index 49dd23ce..44db742a 100644 --- a/public/js/extra.js +++ b/public/js/extra.js @@ -386,7 +386,7 @@ export function finishView (view) { window.mermaid.mermaidAPI.parse($value.text()) $ele.addClass('mermaid') - $ele.html($value.text()) + $ele.text($value.text()) window.mermaid.init(undefined, $ele) } catch (err) { var errormessage = err -- cgit v1.2.3