Skip to content

Commit 6048299

Browse files
committed
Use textContent instead of innerHTML
Previously, setting `innerHTML` was used to display the statuses. These could include content communicated from the remote VNC server, allowing the remove VNC server to inject HTML into the noVNC page. This commit switches all uses of `innerHTML` to use `textContent`, which is not vulnerable to the HTML injection.
1 parent 41f476a commit 6048299

File tree

5 files changed

+16
-12
lines changed

5 files changed

+16
-12
lines changed

Diff for: app/ui.js

+4-4
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ var UI;
4848

4949
document.getElementById('noVNC_fallback_error')
5050
.classList.add("noVNC_open");
51-
document.getElementById('noVNC_fallback_errormsg').innerHTML = msg;
51+
document.getElementById('noVNC_fallback_errormsg').textContent = msg;
5252
} catch (exc) {
5353
document.write("noVNC encountered an error.");
5454
}
@@ -416,7 +416,7 @@ var UI;
416416

417417
switch (state) {
418418
case 'connecting':
419-
document.getElementById("noVNC_transition_text").innerHTML = _("Connecting...");
419+
document.getElementById("noVNC_transition_text").textContent = _("Connecting...");
420420
document.documentElement.classList.add("noVNC_connecting");
421421
break;
422422
case 'connected':
@@ -431,7 +431,7 @@ var UI;
431431
break;
432432
case 'disconnecting':
433433
UI.connected = false;
434-
document.getElementById("noVNC_transition_text").innerHTML = _("Disconnecting...");
434+
document.getElementById("noVNC_transition_text").textContent = _("Disconnecting...");
435435
document.documentElement.classList.add("noVNC_disconnecting");
436436
break;
437437
case 'disconnected':
@@ -531,7 +531,7 @@ var UI;
531531
break;
532532
}
533533

534-
statusElem.innerHTML = text;
534+
statusElem.textContent = text;
535535
statusElem.classList.add("noVNC_open");
536536

537537
// If no time was specified, show the status for 1.5 seconds

Diff for: tests/input.html

+1-1
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@
4545
function message(str) {
4646
console.log(str);
4747
cell = document.getElementById('messages');
48-
cell.innerHTML += msg_cnt + ": " + str + newline;
48+
cell.textContent += msg_cnt + ": " + str + newline;
4949
cell.scrollTop = cell.scrollHeight;
5050
msg_cnt++;
5151
}

Diff for: tests/vnc_perf.html

+2-2
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@
6565
function msg(str) {
6666
console.log(str);
6767
var cell = document.getElementById('messages');
68-
cell.innerHTML += str + "\n";
68+
cell.textContent += str + "\n";
6969
cell.scrollTop = cell.scrollHeight;
7070
}
7171
function dbgmsg(str) {
@@ -85,7 +85,7 @@
8585
}
8686

8787
notification = function (rfb, mesg, level, options) {
88-
document.getElementById('VNC_status').innerHTML = mesg;
88+
document.getElementById('VNC_status').textContent = mesg;
8989
}
9090

9191
function do_test() {

Diff for: tests/vnc_playback.html

+2-2
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@
4949
function message(str) {
5050
console.log(str);
5151
var cell = document.getElementById('messages');
52-
cell.innerHTML += str + "\n";
52+
cell.textContent += str + "\n";
5353
cell.scrollTop = cell.scrollHeight;
5454
}
5555

@@ -76,7 +76,7 @@
7676
}
7777

7878
notification = function (rfb, mesg, level, options) {
79-
document.getElementById('VNC_status').innerHTML = mesg;
79+
document.getElementById('VNC_status').textContent = mesg;
8080
}
8181

8282
function start() {

Diff for: vnc_auto.html

+7-3
Original file line numberDiff line numberDiff line change
@@ -111,10 +111,14 @@
111111
var html;
112112
html = '<form onsubmit="return setPassword();"';
113113
html += ' style="margin-bottom: 0px">';
114-
html += msg;
114+
html += '<label></label>'
115115
html += '<input type=password size=10 id="password_input" class="noVNC_status">';
116116
html += '<\/form>';
117-
status(html, "warn");
117+
118+
// bypass status() because it sets text content
119+
document.getElementById('noVNC_status_bar').setAttribute("class", "noVNC_status_warn");
120+
document.getElementById('noVNC_status').innerHTML = html;
121+
document.getElementById('noVNC_status').querySelector('label').textContent = msg;
118122
}
119123
function setPassword() {
120124
rfb.sendPassword(document.getElementById('password_input').value);
@@ -146,7 +150,7 @@
146150
level = "warn";
147151
}
148152
document.getElementById('noVNC_status_bar').setAttribute("class", "noVNC_status_" + level);
149-
document.getElementById('noVNC_status').innerHTML = text;
153+
document.getElementById('noVNC_status').textContent = text;
150154
}
151155
function updateState(rfb, state, oldstate) {
152156
var cad = document.getElementById('sendCtrlAltDelButton');

0 commit comments

Comments
 (0)