Make $Button safely treat text as plain again (not HTML)
I'm not terribly worried about XSS here, but it is a good practice to avoid implicit HTML parsing. Mainly, though, I really don't want to go through every button in my app to make sure the formatting is okay, so I'm changing this back to treating text as text, and handling the one place where I need HTML specially, by passing an Element instead.main
Isaiah Odhner
parent
2bd020711c
commit
7db534a49b
|
|
@ -84,7 +84,12 @@
|
|||
$w.$buttons = $(E("div")).appendTo($w.$form).addClass("button-group");
|
||||
|
||||
$w.$Button = (label, action, options = { type: "button" }) => {
|
||||
const $b = $(E("button")).appendTo($w.$buttons).html(label);
|
||||
const $b = $(E("button")).appendTo($w.$buttons);
|
||||
|
||||
// jQuery's append() is unsafe (text interpreted as HTML); native append() is safe,
|
||||
// and accepts text, DOM nodes, or DocumentFragments.
|
||||
$b[0].append(label);
|
||||
|
||||
$b.on("click", (e) => {
|
||||
action();
|
||||
});
|
||||
|
|
|
|||
|
|
@ -2962,7 +2962,8 @@ function image_attributes() {
|
|||
image_attributes.$window.close();
|
||||
});
|
||||
|
||||
$w.$Button(display_hotkey(localize("&Default")), () => {
|
||||
// Parsing HTML with jQuery; $Button takes text (not HTML) or Node/DocumentFragment
|
||||
$w.$Button($.parseHTML(display_hotkey(localize("&Default")))[0], () => {
|
||||
width_in_px = default_canvas_width;
|
||||
height_in_px = default_canvas_height;
|
||||
$width.val(width_in_px / unit_sizes_in_px[current_unit]);
|
||||
|
|
|
|||
Loading…
Reference in New Issue