rowan/multi-account-containers
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Security fix: Swap innerHTML to document.createFragment for pageAction.js

Browse source
This commit is contained in:
Maxx Crawford 2023-01-23 09:25:07 -06:00
parent 69bfac12de
commit eb82d42657
No known key found for this signature in database
GPG key ID: 71DBD3273B65FEF9
1 changed files with 28 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
src/js/pageAction.js
View file

@ -7,17 +7,35 @@ async function init() {
tr.classList.add("menu-item", "hover-highlight");
tr.setAttribute("data-cookie-store-id", identity.cookieStoreId);
const td = document.createElement("td");
td.innerHTML = Utils.escaped`
<div class="menu-icon">
<div class="usercontext-icon"
data-identity-icon="${identity.icon}"
data-identity-color="${identity.color}">
</div>
</div>
<span class="menu-text">${identity.name}</span>
<img alt="" class="page-action-flag flag-img" src="/img/flags/.png"/>
`;
// Create `<div class="menu-icon">`
const fragmentDivMenuIcon = document.createElement("div");
fragmentDivMenuIcon.classList.add("menu-icon");
// Create `<div class="usercontext-icon"`
const fragmentDivUserContextIcon= document.createElement("div");
fragmentDivUserContextIcon.classList.add("usercontext-icon");
fragmentDivUserContextIcon.setAttribute("data-identity-icon", identity.icon);
fragmentDivUserContextIcon.setAttribute("data-identity-color", identity.color);
fragmentDivMenuIcon.appendChild(fragmentDivUserContextIcon);
// Append both of <td>
td.appendChild(fragmentDivMenuIcon);
// Create <span class"menu-text">
const fragmentSpanMenuText= document.createElement("span");
const fragmentSpanMenuTextContent = document.createTextNode(identity.name);
fragmentSpanMenuText.classList.add("menu-text");
fragmentSpanMenuText.appendChild(fragmentSpanMenuTextContent);
td.appendChild(fragmentSpanMenuText);
// Create <img class"flag-img">
// Note: Flag source is dynamically set via mozillaVpn.js
const fragmentImgFlag= document.createElement("img");
fragmentImgFlag.classList.add("page-action-flag");
fragmentImgFlag.classList.add("flag-img");
td.appendChild(fragmentImgFlag);
tr.appendChild(td);
fragment.appendChild(tr);