fix(TextBox): prevent insertion of HTML

This prevents the evaluation of arbitrary JavaScript when pasting HTML code into the edit box such as ```javascript <video src=1 onerror=alert('hueh')> ``` Related to bpmn-io/bpmn-js#1073
bpmn-io · Jun 12, 2019 · 122cb92 · 122cb92
1 parent c0bbe85
commit 122cb92
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/TextBox.js b/lib/TextBox.js
@@ -202,8 +202,8 @@ TextBox.prototype.handlePaste = function(e) {
     text = window.clipboardData.getData('Text');
   }
 
-  // insertHTML command not supported by Internet Explorer
-  var success = document.execCommand('insertHTML', false, text);
+  // insertText command not supported by Internet Explorer
+  var success = document.execCommand('insertText', false, text);
 
   if (!success) {