jcarr
/
noVNC
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use textContent instead of innerHTML 

Previously, setting `innerHTML` was used to display the statuses.  These
could include content communicated from the remote VNC server, allowing
the remove VNC server to inject HTML into the noVNC page.

This commit switches all uses of `innerHTML` to use `textContent`, which
is not vulnerable to the HTML injection.
This commit is contained in:
Solly Ross 2017-01-12 11:43:35 -05:00
parent 41f476a863
commit 6048299a13
5 changed files with 16 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/ui.js
View File

@ -48,7 +48,7 @@ var UI;
document.getElementById('noVNC_fallback_error')
.classList.add("noVNC_open");
document.getElementById('noVNC_fallback_errormsg').innerHTML = msg;
document.getElementById('noVNC_fallback_errormsg').textContent = msg;
} catch (exc) {
document.write("noVNC encountered an error.");
}
@ -416,7 +416,7 @@ var UI;
switch (state) {
case 'connecting':
document.getElementById("noVNC_transition_text").innerHTML = _("Connecting...");
document.getElementById("noVNC_transition_text").textContent = _("Connecting...");
document.documentElement.classList.add("noVNC_connecting");
break;
case 'connected':
@ -431,7 +431,7 @@ var UI;
break;
case 'disconnecting':
UI.connected = false;
document.getElementById("noVNC_transition_text").innerHTML = _("Disconnecting...");
document.getElementById("noVNC_transition_text").textContent = _("Disconnecting...");
document.documentElement.classList.add("noVNC_disconnecting");
break;
case 'disconnected':
@ -531,7 +531,7 @@ var UI;
break;
}
statusElem.innerHTML = text;
statusElem.textContent = text;
statusElem.classList.add("noVNC_open");
// If no time was specified, show the status for 1.5 seconds

2
tests/input.html
View File

@ -45,7 +45,7 @@
function message(str) {
console.log(str);
cell = document.getElementById('messages');
cell.innerHTML += msg_cnt + ": " + str + newline;
cell.textContent += msg_cnt + ": " + str + newline;
cell.scrollTop = cell.scrollHeight;
msg_cnt++;
}

4
tests/vnc_perf.html
View File

@ -65,7 +65,7 @@
function msg(str) {
console.log(str);
var cell = document.getElementById('messages');
cell.innerHTML += str + "\n";
cell.textContent += str + "\n";
cell.scrollTop = cell.scrollHeight;
}
function dbgmsg(str) {
@ -85,7 +85,7 @@
}
notification = function (rfb, mesg, level, options) {
document.getElementById('VNC_status').innerHTML = mesg;
document.getElementById('VNC_status').textContent = mesg;
}
function do_test() {

4
tests/vnc_playback.html
View File

@ -49,7 +49,7 @@
function message(str) {
console.log(str);
var cell = document.getElementById('messages');
cell.innerHTML += str + "\n";
cell.textContent += str + "\n";
cell.scrollTop = cell.scrollHeight;
}
@ -76,7 +76,7 @@
}
notification = function (rfb, mesg, level, options) {
document.getElementById('VNC_status').innerHTML = mesg;
document.getElementById('VNC_status').textContent = mesg;
}
function start() {

10
vnc_auto.html
View File

@ -111,10 +111,14 @@
var html;
html = '<form onsubmit="return setPassword();"';
html += ' style="margin-bottom: 0px">';
html += msg;
html += '<label></label>'
html += '<input type=password size=10 id="password_input" class="noVNC_status">';
html += '<\/form>';
status(html, "warn");
// bypass status() because it sets text content
document.getElementById('noVNC_status_bar').setAttribute("class", "noVNC_status_warn");
document.getElementById('noVNC_status').innerHTML = html;
document.getElementById('noVNC_status').querySelector('label').textContent = msg;
}
function setPassword() {
rfb.sendPassword(document.getElementById('password_input').value);
@ -146,7 +150,7 @@
level = "warn";
}
document.getElementById('noVNC_status_bar').setAttribute("class", "noVNC_status_" + level);
document.getElementById('noVNC_status').innerHTML = text;
document.getElementById('noVNC_status').textContent = text;
}
function updateState(rfb, state, oldstate) {
var cad = document.getElementById('sendCtrlAltDelButton');