Skip to content
Permalink
Browse files

Use textContent instead of innerHTML

Previously, setting `innerHTML` was used to display the statuses.  These
could include content communicated from the remote VNC server, allowing
the remove VNC server to inject HTML into the noVNC page.

This commit switches all uses of `innerHTML` to use `textContent`, which
is not vulnerable to the HTML injection.
  • Loading branch information
DirectXMan12 committed Jan 12, 2017
1 parent 41f476a commit 6048299a138e078aed210f163111698c8c526a13
Showing with 16 additions and 12 deletions.
  1. +4 −4 app/ui.js
  2. +1 −1 tests/input.html
  3. +2 −2 tests/vnc_perf.html
  4. +2 −2 tests/vnc_playback.html
  5. +7 −3 vnc_auto.html
@@ -48,7 +48,7 @@ var UI;

document.getElementById('noVNC_fallback_error')
.classList.add("noVNC_open");
document.getElementById('noVNC_fallback_errormsg').innerHTML = msg;
document.getElementById('noVNC_fallback_errormsg').textContent = msg;
} catch (exc) {
document.write("noVNC encountered an error.");
}
@@ -416,7 +416,7 @@ var UI;

switch (state) {
case 'connecting':
document.getElementById("noVNC_transition_text").innerHTML = _("Connecting...");
document.getElementById("noVNC_transition_text").textContent = _("Connecting...");
document.documentElement.classList.add("noVNC_connecting");
break;
case 'connected':
@@ -431,7 +431,7 @@ var UI;
break;
case 'disconnecting':
UI.connected = false;
document.getElementById("noVNC_transition_text").innerHTML = _("Disconnecting...");
document.getElementById("noVNC_transition_text").textContent = _("Disconnecting...");
document.documentElement.classList.add("noVNC_disconnecting");
break;
case 'disconnected':
@@ -531,7 +531,7 @@ var UI;
break;
}

statusElem.innerHTML = text;
statusElem.textContent = text;
statusElem.classList.add("noVNC_open");

// If no time was specified, show the status for 1.5 seconds
@@ -45,7 +45,7 @@
function message(str) {
console.log(str);
cell = document.getElementById('messages');
cell.innerHTML += msg_cnt + ": " + str + newline;
cell.textContent += msg_cnt + ": " + str + newline;
cell.scrollTop = cell.scrollHeight;
msg_cnt++;
}
@@ -65,7 +65,7 @@
function msg(str) {
console.log(str);
var cell = document.getElementById('messages');
cell.innerHTML += str + "\n";
cell.textContent += str + "\n";
cell.scrollTop = cell.scrollHeight;
}
function dbgmsg(str) {
@@ -85,7 +85,7 @@
}
notification = function (rfb, mesg, level, options) {
document.getElementById('VNC_status').innerHTML = mesg;
document.getElementById('VNC_status').textContent = mesg;
}
function do_test() {
@@ -49,7 +49,7 @@
function message(str) {
console.log(str);
var cell = document.getElementById('messages');
cell.innerHTML += str + "\n";
cell.textContent += str + "\n";
cell.scrollTop = cell.scrollHeight;
}
@@ -76,7 +76,7 @@
}
notification = function (rfb, mesg, level, options) {
document.getElementById('VNC_status').innerHTML = mesg;
document.getElementById('VNC_status').textContent = mesg;
}
function start() {
@@ -111,10 +111,14 @@
var html;
html = '<form onsubmit="return setPassword();"';
html += ' style="margin-bottom: 0px">';
html += msg;
html += '<label></label>'
html += '<input type=password size=10 id="password_input" class="noVNC_status">';
html += '<\/form>';
status(html, "warn");
// bypass status() because it sets text content
document.getElementById('noVNC_status_bar').setAttribute("class", "noVNC_status_warn");
document.getElementById('noVNC_status').innerHTML = html;
document.getElementById('noVNC_status').querySelector('label').textContent = msg;
}
function setPassword() {
rfb.sendPassword(document.getElementById('password_input').value);
@@ -146,7 +150,7 @@
level = "warn";
}
document.getElementById('noVNC_status_bar').setAttribute("class", "noVNC_status_" + level);
document.getElementById('noVNC_status').innerHTML = text;
document.getElementById('noVNC_status').textContent = text;
}
function updateState(rfb, state, oldstate) {
var cad = document.getElementById('sendCtrlAltDelButton');

0 comments on commit 6048299

Please sign in to comment.
You can’t perform that action at this time.