From 6048299a138e078aed210f163111698c8c526a13 Mon Sep 17 00:00:00 2001
From: Solly Ross <sross@redhat.com>
Date: Thu, 12 Jan 2017 11:43:35 -0500
Subject: [PATCH] Use textContent instead of innerHTML

Previously, setting `innerHTML` was used to display the statuses.  These
could include content communicated from the remote VNC server, allowing
the remove VNC server to inject HTML into the noVNC page.

This commit switches all uses of `innerHTML` to use `textContent`, which
is not vulnerable to the HTML injection.
---
 app/ui.js               |  8 ++++----
 tests/input.html        |  2 +-
 tests/vnc_perf.html     |  4 ++--
 tests/vnc_playback.html |  4 ++--
 vnc_auto.html           | 10 +++++++---
 5 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/app/ui.js b/app/ui.js
index 0e789c04..8056078b 100644
--- a/app/ui.js
+++ b/app/ui.js
@@ -48,7 +48,7 @@ var UI;
 
             document.getElementById('noVNC_fallback_error')
                 .classList.add("noVNC_open");
-            document.getElementById('noVNC_fallback_errormsg').innerHTML = msg;
+            document.getElementById('noVNC_fallback_errormsg').textContent = msg;
         } catch (exc) {
             document.write("noVNC encountered an error.");
         }
@@ -416,7 +416,7 @@ var UI;
 
             switch (state) {
                 case 'connecting':
-                    document.getElementById("noVNC_transition_text").innerHTML = _("Connecting...");
+                    document.getElementById("noVNC_transition_text").textContent = _("Connecting...");
                     document.documentElement.classList.add("noVNC_connecting");
                     break;
                 case 'connected':
@@ -431,7 +431,7 @@ var UI;
                     break;
                 case 'disconnecting':
                     UI.connected = false;
-                    document.getElementById("noVNC_transition_text").innerHTML = _("Disconnecting...");
+                    document.getElementById("noVNC_transition_text").textContent = _("Disconnecting...");
                     document.documentElement.classList.add("noVNC_disconnecting");
                     break;
                 case 'disconnected':
@@ -531,7 +531,7 @@ var UI;
                     break;
             }
 
-            statusElem.innerHTML = text;
+            statusElem.textContent = text;
             statusElem.classList.add("noVNC_open");
 
             // If no time was specified, show the status for 1.5 seconds
diff --git a/tests/input.html b/tests/input.html
index 437d6f33..0938a4ab 100644
--- a/tests/input.html
+++ b/tests/input.html
@@ -45,7 +45,7 @@
         function message(str) {
             console.log(str);
             cell = document.getElementById('messages');
-            cell.innerHTML += msg_cnt + ": " + str + newline;
+            cell.textContent += msg_cnt + ": " + str + newline;
             cell.scrollTop = cell.scrollHeight;
             msg_cnt++;
         }
diff --git a/tests/vnc_perf.html b/tests/vnc_perf.html
index c3e6a111..ce97ca4c 100644
--- a/tests/vnc_perf.html
+++ b/tests/vnc_perf.html
@@ -65,7 +65,7 @@
         function msg(str) {
             console.log(str);
             var cell = document.getElementById('messages');
-            cell.innerHTML += str + "\n";
+            cell.textContent += str + "\n";
             cell.scrollTop = cell.scrollHeight;
         }
         function dbgmsg(str) {
@@ -85,7 +85,7 @@
         }
 
         notification = function (rfb, mesg, level, options) {
-            document.getElementById('VNC_status').innerHTML = mesg;
+            document.getElementById('VNC_status').textContent = mesg;
         }
 
         function do_test() {
diff --git a/tests/vnc_playback.html b/tests/vnc_playback.html
index 510ad06d..65b735e7 100644
--- a/tests/vnc_playback.html
+++ b/tests/vnc_playback.html
@@ -49,7 +49,7 @@
         function message(str) {
             console.log(str);
             var cell = document.getElementById('messages');
-            cell.innerHTML += str + "\n";
+            cell.textContent += str + "\n";
             cell.scrollTop = cell.scrollHeight;
         }
 
@@ -76,7 +76,7 @@
         }
 
         notification = function (rfb, mesg, level, options) {
-            document.getElementById('VNC_status').innerHTML = mesg;
+            document.getElementById('VNC_status').textContent = mesg;
         }
 
         function start() {
diff --git a/vnc_auto.html b/vnc_auto.html
index e86ae5d2..e4fc4676 100644
--- a/vnc_auto.html
+++ b/vnc_auto.html
@@ -111,10 +111,14 @@
             var html;
             html = '<form onsubmit="return setPassword();"';
             html += '  style="margin-bottom: 0px">';
-            html += msg;
+            html += '<label></label>'
             html += '<input type=password size=10 id="password_input" class="noVNC_status">';
             html += '<\/form>';
-            status(html, "warn");
+
+            // bypass status() because it sets text content
+            document.getElementById('noVNC_status_bar').setAttribute("class", "noVNC_status_warn");
+            document.getElementById('noVNC_status').innerHTML = html;
+            document.getElementById('noVNC_status').querySelector('label').textContent = msg;
         }
         function setPassword() {
             rfb.sendPassword(document.getElementById('password_input').value);
@@ -146,7 +150,7 @@
                     level = "warn";
             }
             document.getElementById('noVNC_status_bar').setAttribute("class", "noVNC_status_" + level);
-            document.getElementById('noVNC_status').innerHTML = text;
+            document.getElementById('noVNC_status').textContent = text;
         }
         function updateState(rfb, state, oldstate) {
             var cad = document.getElementById('sendCtrlAltDelButton');