From 15ce2f71eb660c03237a58a589cd8ad84aa7f20d Mon Sep 17 00:00:00 2001
From: Solly Ross <sross@redhat.com>
Date: Thu, 12 Jan 2017 11:43:35 -0500
Subject: [PATCH] Use textContent instead of innerHTML

Previously, setting `innerHTML` was used to display the statuses.  These
could include content communicated from the remote VNC server, allowing
the remove VNC server to inject HTML into the noVNC page.

This commit switches all uses of `innerHTML` to use `textContent`, which
is not vulnerable to the HTML injection.
---
 include/ui.js           | 6 +++---
 tests/arrays.js         | 2 +-
 tests/base64.html       | 2 +-
 tests/canvas.html       | 2 +-
 tests/cursor.html       | 2 +-
 tests/input.html        | 2 +-
 tests/viewport.html     | 2 +-
 tests/vnc_perf.html     | 4 ++--
 tests/vnc_playback.html | 4 ++--
 vnc_auto.html           | 2 +-
 10 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/include/ui.js b/include/ui.js
index be56d513..327c49d3 100644
--- a/include/ui.js
+++ b/include/ui.js
@@ -285,7 +285,7 @@ var UI;
 
             if (typeof(msg) !== 'undefined') {
                 $D('noVNC_control_bar').setAttribute("class", klass);
-                $D('noVNC_status').innerHTML = msg;
+                $D('noVNC_status').textContent = msg;
             }
 
             UI.updateVisualState();
@@ -360,9 +360,9 @@ var UI;
             clearTimeout(UI.popupStatusTimeout);
 
             if (typeof text === 'string') {
-                psp.innerHTML = text;
+                psp.textContent = text;
             } else {
-                psp.innerHTML = $D('noVNC_status').innerHTML;
+                psp.textContent = $D('noVNC_status').textContent;
             }
             psp.style.display = "block";
             psp.style.left = window.innerWidth/2 -
diff --git a/tests/arrays.js b/tests/arrays.js
index 69da7fbb..843df7df 100644
--- a/tests/arrays.js
+++ b/tests/arrays.js
@@ -36,7 +36,7 @@ if (Util.Engine.trident) {
 function message(str) {
     //console.log(str);
     cell = $D('messages');
-    cell.innerHTML += str + newline;
+    cell.textContent += str + newline;
     cell.scrollTop = cell.scrollHeight;
 }
 
diff --git a/tests/base64.html b/tests/base64.html
index dc45fdd5..071dde63 100644
--- a/tests/base64.html
+++ b/tests/base64.html
@@ -20,7 +20,7 @@
     function debug(str) {
         console.log(str);
         cell = $D('debug');
-        cell.innerHTML += str + "\n";
+        cell.textContent += str + "\n";
         cell.scrollTop = cell.scrollHeight;
     }
 
diff --git a/tests/canvas.html b/tests/canvas.html
index 010e8f35..f0dd24a8 100644
--- a/tests/canvas.html
+++ b/tests/canvas.html
@@ -42,7 +42,7 @@
         function message(str) {
             console.log(str);
             cell = $D('messages');
-            cell.innerHTML += msg_cnt + ": " + str + "\n";
+            cell.textContent += msg_cnt + ": " + str + "\n";
             cell.scrollTop = cell.scrollHeight;
             msg_cnt += 1;
         }
diff --git a/tests/cursor.html b/tests/cursor.html
index 91e621b3..fd25e4bb 100644
--- a/tests/cursor.html
+++ b/tests/cursor.html
@@ -35,7 +35,7 @@
     function debug(str) {
         console.log(str);
         cell = $D('debug');
-        cell.innerHTML += str + "\n";
+        cell.textContent += str + "\n";
         cell.scrollTop = cell.scrollHeight;
     }
 
diff --git a/tests/input.html b/tests/input.html
index 8416379b..04d7edef 100644
--- a/tests/input.html
+++ b/tests/input.html
@@ -44,7 +44,7 @@
         function message(str) {
             console.log(str);
             cell = $D('messages');
-            cell.innerHTML += msg_cnt + ": " + str + newline;
+            cell.textContent += msg_cnt + ": " + str + newline;
             cell.scrollTop = cell.scrollHeight;
             msg_cnt++;
         }
diff --git a/tests/viewport.html b/tests/viewport.html
index 374d8b15..8daff24e 100644
--- a/tests/viewport.html
+++ b/tests/viewport.html
@@ -56,7 +56,7 @@
         function message(str) {
             console.log(str);
             cell = $D('messages');
-            cell.innerHTML += msg_cnt + ": " + str + newline;
+            cell.textContent += msg_cnt + ": " + str + newline;
             cell.scrollTop = cell.scrollHeight;
             msg_cnt++;
         }
diff --git a/tests/vnc_perf.html b/tests/vnc_perf.html
index 9acea882..20c2e07d 100644
--- a/tests/vnc_perf.html
+++ b/tests/vnc_perf.html
@@ -64,7 +64,7 @@
         function msg(str) {
             console.log(str);
             var cell = $D('messages');
-            cell.innerHTML += str + "\n";
+            cell.textContent += str + "\n";
             cell.scrollTop = cell.scrollHeight;
         }
         function dbgmsg(str) {
@@ -88,7 +88,7 @@
                     break;
             }
             if (typeof mesg !== 'undefined') {
-                $D('VNC_status').innerHTML = mesg;
+                $D('VNC_status').textContent = mesg;
             }
         }
 
diff --git a/tests/vnc_playback.html b/tests/vnc_playback.html
index cfc5953b..2063f0c2 100644
--- a/tests/vnc_playback.html
+++ b/tests/vnc_playback.html
@@ -51,7 +51,7 @@
         function message(str) {
             console.log(str);
             var cell = $D('messages');
-            cell.innerHTML += str + "\n";
+            cell.textContent += str + "\n";
             cell.scrollTop = cell.scrollHeight;
         }
 
@@ -78,7 +78,7 @@
                     break;
             }
             if (typeof msg !== 'undefined') {
-                $D('VNC_status').innerHTML = msg;
+                $D('VNC_status').textContent = msg;
             }
         }
 
diff --git a/vnc_auto.html b/vnc_auto.html
index 2d81cca7..878d05a8 100644
--- a/vnc_auto.html
+++ b/vnc_auto.html
@@ -152,7 +152,7 @@
 
             if (typeof(msg) !== 'undefined') {
                 sb.setAttribute("class", "noVNC_status_" + level);
-                s.innerHTML = msg;
+                s.textContent = msg;
             }
         }