Merge pull request #159 from msgpack/fix_dom_injection

gfx · web-flow · commit e61fe7fc1cc5 · 2021-02-28T11:27:59.000+09:00
fix a js/xss-through-dom problem detected by CodeQL
diff --git a/example/fetch-example.html b/example/fetch-example.html
@@ -48,11 +48,13 @@ <h1>Fetch API example</h1>
         }
       })()
     </script>
+    <pre><code id="source"></code></pre>
     <script>
       const script = document.getElementById("script");
-      document.write("<pre><code>");
-      document.write(script.innerText.replace(/^ {6}/gms, ""));
-      document.write("</code><pre>");
+      const source = document.getElementById("source");
+      source.appendChild(
+        document.createTextNode(
+          script.innerText.replace(/^ {6}/gms, "")));
     </script>
   </main>
 </body>
