mirror of
https://github.com/zen-browser/components.git
synced 2025-07-08 17:19:58 +02:00
refactor: Update ZenWorkspaces to use textContent instead of innerHTML for XSS prevention
This commit is contained in:
parent
dde5f80b8b
commit
e12618009e
1 changed files with 10 additions and 4 deletions
|
@ -180,15 +180,18 @@ var ZenWorkspaces = {
|
||||||
//element.setAttribute("context", "zenWorkspaceActionsMenu");
|
//element.setAttribute("context", "zenWorkspaceActionsMenu");
|
||||||
let childs = window.MozXULElement.parseXULToFragment(`
|
let childs = window.MozXULElement.parseXULToFragment(`
|
||||||
<div class="zen-workspace-icon">
|
<div class="zen-workspace-icon">
|
||||||
${gZenUIManager.createValidXULText(this.getWorkspaceIcon(workspace))}
|
|
||||||
</div>
|
</div>
|
||||||
<div class="zen-workspace-name">
|
<div class="zen-workspace-name">
|
||||||
${gZenUIManager.createValidXULText(workspace.name)}
|
|
||||||
</div>
|
</div>
|
||||||
<toolbarbutton closemenu="none" class="toolbarbutton-1 zen-workspace-actions">
|
<toolbarbutton closemenu="none" class="toolbarbutton-1 zen-workspace-actions">
|
||||||
<image class="toolbarbutton-icon" id="zen-workspace-actions-menu-icon"></image>
|
<image class="toolbarbutton-icon" id="zen-workspace-actions-menu-icon"></image>
|
||||||
</toolbarbutton>
|
</toolbarbutton>
|
||||||
`);
|
`);
|
||||||
|
|
||||||
|
// use text content instead of innerHTML to avoid XSS
|
||||||
|
childs.querySelector(".zen-workspace-icon").textContent = this.getWorkspaceIcon(workspace);
|
||||||
|
childs.querySelector(".zen-workspace-name").textContent = workspace.name;
|
||||||
|
|
||||||
childs.querySelector(".zen-workspace-actions").addEventListener("command", (event) => {
|
childs.querySelector(".zen-workspace-actions").addEventListener("command", (event) => {
|
||||||
let button = event.target;
|
let button = event.target;
|
||||||
this._contextMenuId = button.closest("toolbarbutton[zen-workspace-id]").getAttribute("zen-workspace-id");
|
this._contextMenuId = button.closest("toolbarbutton[zen-workspace-id]").getAttribute("zen-workspace-id");
|
||||||
|
@ -273,12 +276,15 @@ var ZenWorkspaces = {
|
||||||
if (activeWorkspace) {
|
if (activeWorkspace) {
|
||||||
button.innerHTML = `
|
button.innerHTML = `
|
||||||
<div class="zen-workspace-sidebar-icon">
|
<div class="zen-workspace-sidebar-icon">
|
||||||
${gZenUIManager.createValidXULText(this.getWorkspaceIcon(activeWorkspace))}
|
|
||||||
</div>
|
</div>
|
||||||
<div class="zen-workspace-sidebar-name">
|
<div class="zen-workspace-sidebar-name">
|
||||||
${gZenUIManager.createValidXULText(activeWorkspace.name)}
|
|
||||||
</div>
|
</div>
|
||||||
`;
|
`;
|
||||||
|
|
||||||
|
// use text content instead of innerHTML to avoid XSS
|
||||||
|
button.querySelector(".zen-workspace-sidebar-name").textContent = activeWorkspace.name;
|
||||||
|
button.querySelector(".zen-workspace-sidebar-icon").textContent = this.getWorkspaceIcon(activeWorkspace);
|
||||||
|
|
||||||
if (!this.workspaceHasIcon(activeWorkspace)) {
|
if (!this.workspaceHasIcon(activeWorkspace)) {
|
||||||
button.querySelector(".zen-workspace-sidebar-icon").setAttribute("no-icon", "true");
|
button.querySelector(".zen-workspace-sidebar-icon").setAttribute("no-icon", "true");
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue