PRJ-868 Avoid using HTML plain text injections

SerVB · SerVB · commit 06ba6cd5d4f0 · 2022-04-07T17:42:11.000+02:00
diff --git a/projector-client-web/src/main/kotlin/org/jetbrains/projector/client/web/state/ClientState.kt b/projector-client-web/src/main/kotlin/org/jetbrains/projector/client/web/state/ClientState.kt
@@ -624,10 +624,10 @@ sealed class ClientState {
 
         false -> OnScreenMessenger.showText(
           "Connection problem",
-          "There is no connection to <strong>$url</strong>. " +
+          "There is no connection to $url. " +
           "The browser console can contain the error and a more detailed description. " +
-          "Everything we know is that <code>CloseEvent.code=${action.code}</code>, " +
-          "<code>CloseEvent.wasClean=${action.wasClean}</code>. $reason",
+          "Everything we know is that CloseEvent.code=${action.code}, " +
+          "CloseEvent.wasClean=${action.wasClean}. $reason",
           canReload = true
         )
       }
diff --git a/projector-client-web/src/main/kotlin/org/jetbrains/projector/client/web/window/OnScreenMessenger.kt b/projector-client-web/src/main/kotlin/org/jetbrains/projector/client/web/window/OnScreenMessenger.kt
@@ -32,6 +32,7 @@ import org.jetbrains.projector.client.web.state.ProjectorUI
 import org.jetbrains.projector.common.protocol.data.CommonRectangle
 import org.jetbrains.projector.util.logging.Logger
 import org.w3c.dom.HTMLDivElement
+import org.w3c.dom.HTMLParagraphElement
 
 object OnScreenMessenger : LafListener {
 
@@ -57,7 +58,7 @@ object OnScreenMessenger : LafListener {
     }
   }
 
-  private val text = (document.createElement("div") as HTMLDivElement).apply {
+  private val text = (document.createElement("p") as HTMLParagraphElement).apply {
     div.appendChild(this)
   }
 
@@ -75,7 +76,7 @@ object OnScreenMessenger : LafListener {
     logger.info { "$title - $content" }
 
     header.title = title
-    text.innerHTML = "<p>$content</p>"
+    text.innerText = content
 
     reload.style.display = canReload.toDisplayType()
 

Original file line number	Diff line number	Diff line change
`@@ -624,10 +624,10 @@ sealed class ClientState {`
`624`	`624`
`625`	`625`	`false -> OnScreenMessenger.showText(`
`626`	`626`	`"Connection problem",`
`627`		`- "There is no connection to <strong>$url</strong>. " +`
	`627`	`+ "There is no connection to $url. " +`
`628`	`628`	`"The browser console can contain the error and a more detailed description. " +`
`629`		`- "Everything we know is that <code>CloseEvent.code=${action.code}</code>, " +`
`630`		`- "<code>CloseEvent.wasClean=${action.wasClean}</code>. $reason",`
	`629`	`+ "Everything we know is that CloseEvent.code=${action.code}, " +`
	`630`	`+ "CloseEvent.wasClean=${action.wasClean}. $reason",`
`631`	`631`	`canReload = true`
`632`	`632`	`)`
`633`	`633`	`}`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@ import org.jetbrains.projector.client.web.state.ProjectorUI`
`32`	`32`	`import org.jetbrains.projector.common.protocol.data.CommonRectangle`
`33`	`33`	`import org.jetbrains.projector.util.logging.Logger`
`34`	`34`	`import org.w3c.dom.HTMLDivElement`
	`35`	`+import org.w3c.dom.HTMLParagraphElement`
`35`	`36`
`36`	`37`	`object OnScreenMessenger : LafListener {`
`37`	`38`
`@@ -57,7 +58,7 @@ object OnScreenMessenger : LafListener {`
`57`	`58`	`}`
`58`	`59`	`}`
`59`	`60`
`60`		`- private val text = (document.createElement("div") as HTMLDivElement).apply {`
	`61`	`+ private val text = (document.createElement("p") as HTMLParagraphElement).apply {`
`61`	`62`	`div.appendChild(this)`
`62`	`63`	`}`
`63`	`64`
`@@ -75,7 +76,7 @@ object OnScreenMessenger : LafListener {`
`75`	`76`	`logger.info { "$title - $content" }`
`76`	`77`
`77`	`78`	`header.title = title`
`78`		`- text.innerHTML = "<p>$content</p>"`
	`79`	`+ text.innerText = content`
`79`	`80`
`80`	`81`	`reload.style.display = canReload.toDisplayType()`
`81`	`82`