fix: replace a few innerHTML by more secure alternatives (#887)

6pac · Oct 27, 2023 · ada4690 · ada4690
1 parent 3d9aecb
commit ada4690
Show file tree

Hide file tree

Showing 7 changed files with 13 additions and 13 deletions.
diff --git a/controls/slick.columnmenu.js b/controls/slick.columnmenu.js
@@ -72,7 +72,7 @@
       const spanCloseElm = document.createElement('span');
       spanCloseElm.className = 'close';
       spanCloseElm.ariaHidden = 'true';
-      spanCloseElm.innerHTML = '&times;';
+      spanCloseElm.textContent = '×';
       buttonElm.appendChild(spanCloseElm);
       _menuElm.appendChild(buttonElm);
 
@@ -300,13 +300,13 @@
         col.hidden = false;
         visibleColumns.splice(idx, 0, col);
       } else {
-        let newVisibleColumns = [];      
+        let newVisibleColumns = [];
         for (let i = 0; i < visibleColumns.length; i++) {
           if (visibleColumns[i].id !== col.id) { newVisibleColumns.push(visibleColumns[i]); }
         }
         visibleColumns = newVisibleColumns;
       }
- 
+
       _grid.setColumns(visibleColumns);
       onColumnsChanged.notify({ columnId: col.id, showing: show, allColumns: columns, columns: visibleColumns, grid: _grid });
      }

diff --git a/controls/slick.columnpicker.js b/controls/slick.columnpicker.js
@@ -73,7 +73,7 @@
       const spanCloseElm = document.createElement('span');
       spanCloseElm.className = 'close';
       spanCloseElm.ariaHidden = 'true';
-      spanCloseElm.innerHTML = '&times;';
+      spanCloseElm.textContent = '×';
       buttonElm.appendChild(spanCloseElm);
       _menuElm.appendChild(buttonElm);
 
@@ -301,13 +301,13 @@
         col.hidden = false;
         visibleColumns.splice(idx, 0, col);
       } else {
-        let newVisibleColumns = [];      
+        let newVisibleColumns = [];
         for (let i = 0; i < visibleColumns.length; i++) {
           if (visibleColumns[i].id !== col.id) { newVisibleColumns.push(visibleColumns[i]); }
         }
         visibleColumns = newVisibleColumns;
       }
- 
+
       _grid.setColumns(visibleColumns);
       onColumnsChanged.notify({ columnId: col.id, showing: show, allColumns: columns, columns: visibleColumns, grid: _grid });
      }

diff --git a/controls/slick.gridmenu.js b/controls/slick.gridmenu.js
@@ -236,7 +236,7 @@
       const spanCloseElm = document.createElement('span');
       spanCloseElm.className = 'close';
       spanCloseElm.ariaHidden = 'true';
-      spanCloseElm.innerHTML = '&times;';
+      spanCloseElm.textContent = '×';
       buttonElm.appendChild(spanCloseElm);
       _menuElm.appendChild(buttonElm);
 

diff --git a/controls/slick.pager.js b/controls/slick.pager.js
@@ -45,7 +45,7 @@
     function destroy() {
       setPageSize(0);
       _bindingEventService.unbindAll();
-      container.innerHTML = '';
+      Slick.Utils.emptyElement(container);
     }
 
     function getNavState() {

diff --git a/plugins/slick.cellmenu.js b/plugins/slick.cellmenu.js
@@ -235,7 +235,7 @@
       const spanCloseElm = document.createElement('span');
       spanCloseElm.className = 'close';
       spanCloseElm.ariaHidden = 'true';
-      spanCloseElm.innerHTML = '&times;';
+      spanCloseElm.textContent = '×';
       closeButtonElm.appendChild(spanCloseElm);
 
       // -- Option List section

diff --git a/plugins/slick.contextmenu.js b/plugins/slick.contextmenu.js
@@ -259,7 +259,7 @@
       const spanCloseElm = document.createElement('span');
       spanCloseElm.className = 'close';
       spanCloseElm.ariaHidden = 'true';
-      spanCloseElm.innerHTML = '&times;';
+      spanCloseElm.textContent = '×';
       closeButtonElm.appendChild(spanCloseElm);
 
       // -- Option List section

diff --git a/slick.grid.js b/slick.grid.js
@@ -2697,7 +2697,7 @@ if (typeof Slick === "undefined") {
           if (len > max) { max = len; maxText = formatterResult; }
         }
 
-          cellEl.innerHTML = maxText;
+          cellEl.textContent = maxText;
           len = cellEl.offsetWidth;
 
           rowEl.remove();
@@ -3677,7 +3677,7 @@ if (typeof Slick === "undefined") {
           formatterResult =  getFormatter(row, m)(row, columnIdx, getDataItemValueForColumn(d, m), m, d, self);
           applyFormatResultToCellNode(formatterResult, node);
         } else {
-          node.innerHTML = "";
+          utils.emptyElement(node);
         }
       }
 
@@ -5280,7 +5280,7 @@ if (typeof Slick === "undefined") {
 
       // don't clear the cell if a custom editor is passed through
       if (!editor && !useEditor.suppressClearOnEdit) {
-        activeCellNode.innerHTML = "";
+        utils.emptyElement(activeCellNode);
       }
 
       var metadata = data.getItemMetadata && data.getItemMetadata(activeRow);