fix(settings): mitigate xss
Mitigate XSS on wifi scanning from injecting arbitrary code by using `textConent` instead of `innerHTML`. Partially Fixes #3233
This commit is contained in:
parent
999bec19f1
commit
d18d800947
@ -19,7 +19,7 @@
|
|||||||
|
|
||||||
const button = gId("scan");
|
const button = gId("scan");
|
||||||
button.disabled = true;
|
button.disabled = true;
|
||||||
button.innerHTML = "Scanning...";
|
button.textContent = "Scanning...";
|
||||||
|
|
||||||
fetch(url).then((response) => {
|
fetch(url).then((response) => {
|
||||||
return response.json();
|
return response.json();
|
||||||
@ -70,7 +70,7 @@
|
|||||||
const option = cE("option");
|
const option = cE("option");
|
||||||
|
|
||||||
option.setAttribute("value", networks[i].ssid);
|
option.setAttribute("value", networks[i].ssid);
|
||||||
option.innerHTML = `${networks[i].ssid} (${networks[i].rssi} dBm)`;
|
option.textContent = `${networks[i].ssid} (${networks[i].rssi} dBm)`;
|
||||||
|
|
||||||
if (networks[i].ssid === cs.value) {
|
if (networks[i].ssid === cs.value) {
|
||||||
option.setAttribute("selected", "selected");
|
option.setAttribute("selected", "selected");
|
||||||
@ -81,14 +81,14 @@
|
|||||||
const option = cE("option");
|
const option = cE("option");
|
||||||
|
|
||||||
option.setAttribute("value", "!Cs");
|
option.setAttribute("value", "!Cs");
|
||||||
option.innerHTML = `Other network...`;
|
option.textContent = `Other network...`;
|
||||||
select.appendChild(option);
|
select.appendChild(option);
|
||||||
|
|
||||||
cs.replaceWith(select);
|
cs.replaceWith(select);
|
||||||
}
|
}
|
||||||
|
|
||||||
button.disabled = false;
|
button.disabled = false;
|
||||||
button.innerHTML = "Scan";
|
button.textContent = "Scan";
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
// replace WiFi select with custom SSID input field again
|
// replace WiFi select with custom SSID input field again
|
||||||
|
Loading…
Reference in New Issue
Block a user