Previously, setting `innerHTML` was used to display the statuses. These
could include content communicated from the remote VNC server, allowing
the remove VNC server to inject HTML into the noVNC page.
This commit switches all uses of `innerHTML` to use `textContent`, which
is not vulnerable to the HTML injection.
Rename the $() selector to $D() so that it doesn't collide with
the jQuery name.
The API change is that the 'target' option for Canvas and RFB objects
must now be a DOM Canvas element. A string is no longer accepted
because this requires that a DOM lookup is done and the Canvas and RFB
should have no UI code in them. Modularity.
- util.js that contains essential functions
- webutils.js that contains the GUI utility function.js
this helps to include noVNC in other project, especially Cappuccino Application
i
Interestingly it turns out that using the native base64 routines does
not improve performance. Likely because the actual time is in
marshalling/unmarshalling between strings and arrays (and associated
garbage collection overhead) which has to be done either way.
Solly Ross
Joel Martin
Antoine Mercadal