fix(settings): mitigate xss
Mitigate XSS on wifi scanning from injecting arbitrary code by using `textConent` instead of `innerHTML`. Partially Fixes #3233
This commit is contained in:
parent
999bec19f1
commit
d18d800947
@ -19,7 +19,7 @@
|
||||
|
||||
const button = gId("scan");
|
||||
button.disabled = true;
|
||||
button.innerHTML = "Scanning...";
|
||||
button.textContent = "Scanning...";
|
||||
|
||||
fetch(url).then((response) => {
|
||||
return response.json();
|
||||
@ -70,7 +70,7 @@
|
||||
const option = cE("option");
|
||||
|
||||
option.setAttribute("value", networks[i].ssid);
|
||||
option.innerHTML = `${networks[i].ssid} (${networks[i].rssi} dBm)`;
|
||||
option.textContent = `${networks[i].ssid} (${networks[i].rssi} dBm)`;
|
||||
|
||||
if (networks[i].ssid === cs.value) {
|
||||
option.setAttribute("selected", "selected");
|
||||
@ -81,14 +81,14 @@
|
||||
const option = cE("option");
|
||||
|
||||
option.setAttribute("value", "!Cs");
|
||||
option.innerHTML = `Other network...`;
|
||||
option.textContent = `Other network...`;
|
||||
select.appendChild(option);
|
||||
|
||||
cs.replaceWith(select);
|
||||
}
|
||||
|
||||
button.disabled = false;
|
||||
button.innerHTML = "Scan";
|
||||
button.textContent = "Scan";
|
||||
});
|
||||
}
|
||||
// replace WiFi select with custom SSID input field again
|
||||
|
Loading…
Reference in New Issue
Block a user