Skip to content
Permalink
Browse files Browse the repository at this point in the history
Use textContent instead of innerHTML
Previously, setting `innerHTML` was used to display the statuses.  These
could include content communicated from the remote VNC server, allowing
the remove VNC server to inject HTML into the noVNC page.

This commit switches all uses of `innerHTML` to use `textContent`, which
is not vulnerable to the HTML injection.
  • Loading branch information
DirectXMan12 committed Jan 12, 2017
1 parent 41f476a commit 6048299
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 12 deletions.
8 changes: 4 additions & 4 deletions app/ui.js
Expand Up @@ -48,7 +48,7 @@ var UI;

document.getElementById('noVNC_fallback_error')
.classList.add("noVNC_open");
document.getElementById('noVNC_fallback_errormsg').innerHTML = msg;
document.getElementById('noVNC_fallback_errormsg').textContent = msg;
} catch (exc) {
document.write("noVNC encountered an error.");
}
Expand Down Expand Up @@ -416,7 +416,7 @@ var UI;

switch (state) {
case 'connecting':
document.getElementById("noVNC_transition_text").innerHTML = _("Connecting...");
document.getElementById("noVNC_transition_text").textContent = _("Connecting...");
document.documentElement.classList.add("noVNC_connecting");
break;
case 'connected':
Expand All @@ -431,7 +431,7 @@ var UI;
break;
case 'disconnecting':
UI.connected = false;
document.getElementById("noVNC_transition_text").innerHTML = _("Disconnecting...");
document.getElementById("noVNC_transition_text").textContent = _("Disconnecting...");
document.documentElement.classList.add("noVNC_disconnecting");
break;
case 'disconnected':
Expand Down Expand Up @@ -531,7 +531,7 @@ var UI;
break;
}

statusElem.innerHTML = text;
statusElem.textContent = text;
statusElem.classList.add("noVNC_open");

// If no time was specified, show the status for 1.5 seconds
Expand Down
2 changes: 1 addition & 1 deletion tests/input.html
Expand Up @@ -45,7 +45,7 @@
function message(str) {
console.log(str);
cell = document.getElementById('messages');
cell.innerHTML += msg_cnt + ": " + str + newline;
cell.textContent += msg_cnt + ": " + str + newline;
cell.scrollTop = cell.scrollHeight;
msg_cnt++;
}
Expand Down
4 changes: 2 additions & 2 deletions tests/vnc_perf.html
Expand Up @@ -65,7 +65,7 @@
function msg(str) {
console.log(str);
var cell = document.getElementById('messages');
cell.innerHTML += str + "\n";
cell.textContent += str + "\n";
cell.scrollTop = cell.scrollHeight;
}
function dbgmsg(str) {
Expand All @@ -85,7 +85,7 @@
}

notification = function (rfb, mesg, level, options) {
document.getElementById('VNC_status').innerHTML = mesg;
document.getElementById('VNC_status').textContent = mesg;
}

function do_test() {
Expand Down
4 changes: 2 additions & 2 deletions tests/vnc_playback.html
Expand Up @@ -49,7 +49,7 @@
function message(str) {
console.log(str);
var cell = document.getElementById('messages');
cell.innerHTML += str + "\n";
cell.textContent += str + "\n";
cell.scrollTop = cell.scrollHeight;
}

Expand All @@ -76,7 +76,7 @@
}

notification = function (rfb, mesg, level, options) {
document.getElementById('VNC_status').innerHTML = mesg;
document.getElementById('VNC_status').textContent = mesg;
}

function start() {
Expand Down
10 changes: 7 additions & 3 deletions vnc_auto.html
Expand Up @@ -111,10 +111,14 @@
var html;
html = '<form onsubmit="return setPassword();"';
html += ' style="margin-bottom: 0px">';
html += msg;
html += '<label></label>'
html += '<input type=password size=10 id="password_input" class="noVNC_status">';
html += '<\/form>';
status(html, "warn");

// bypass status() because it sets text content
document.getElementById('noVNC_status_bar').setAttribute("class", "noVNC_status_warn");
document.getElementById('noVNC_status').innerHTML = html;
document.getElementById('noVNC_status').querySelector('label').textContent = msg;
}
function setPassword() {
rfb.sendPassword(document.getElementById('password_input').value);
Expand Down Expand Up @@ -146,7 +150,7 @@
level = "warn";
}
document.getElementById('noVNC_status_bar').setAttribute("class", "noVNC_status_" + level);
document.getElementById('noVNC_status').innerHTML = text;
document.getElementById('noVNC_status').textContent = text;
}
function updateState(rfb, state, oldstate) {
var cad = document.getElementById('sendCtrlAltDelButton');
Expand Down

0 comments on commit 6048299

Please sign in to comment.