Skip to content
This repository was archived by the owner on Mar 26, 2024. It is now read-only.

Commit 06ba6cd

Browse files
committed
PRJ-868 Avoid using HTML plain text injections
1 parent 7cbdefb commit 06ba6cd

File tree

2 files changed

+6
-5
lines changed

2 files changed

+6
-5
lines changed

projector-client-web/src/main/kotlin/org/jetbrains/projector/client/web/state/ClientState.kt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -624,10 +624,10 @@ sealed class ClientState {
624624

625625
false -> OnScreenMessenger.showText(
626626
"Connection problem",
627-
"There is no connection to <strong>$url</strong>. " +
627+
"There is no connection to $url. " +
628628
"The browser console can contain the error and a more detailed description. " +
629-
"Everything we know is that <code>CloseEvent.code=${action.code}</code>, " +
630-
"<code>CloseEvent.wasClean=${action.wasClean}</code>. $reason",
629+
"Everything we know is that CloseEvent.code=${action.code}, " +
630+
"CloseEvent.wasClean=${action.wasClean}. $reason",
631631
canReload = true
632632
)
633633
}

projector-client-web/src/main/kotlin/org/jetbrains/projector/client/web/window/OnScreenMessenger.kt

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ import org.jetbrains.projector.client.web.state.ProjectorUI
3232
import org.jetbrains.projector.common.protocol.data.CommonRectangle
3333
import org.jetbrains.projector.util.logging.Logger
3434
import org.w3c.dom.HTMLDivElement
35+
import org.w3c.dom.HTMLParagraphElement
3536

3637
object OnScreenMessenger : LafListener {
3738

@@ -57,7 +58,7 @@ object OnScreenMessenger : LafListener {
5758
}
5859
}
5960

60-
private val text = (document.createElement("div") as HTMLDivElement).apply {
61+
private val text = (document.createElement("p") as HTMLParagraphElement).apply {
6162
div.appendChild(this)
6263
}
6364

@@ -75,7 +76,7 @@ object OnScreenMessenger : LafListener {
7576
logger.info { "$title - $content" }
7677

7778
header.title = title
78-
text.innerHTML = "<p>$content</p>"
79+
text.innerText = content
7980

8081
reload.style.display = canReload.toDisplayType()
8182

0 commit comments

Comments
 (0)