Use createTextNode() to avoid possible XSS (#145)

* Use createTextNode() to avoid possible XSS For reference: https://stackoverflow.com/questions/476821/is-a-dom-text-node-guaranteed-to-not-be-interpreted-as-html For XSS Example: https://jsfiddle.net/32795mpy/ * delete whitespace for CI * update variable names "hiddenText" => "shavedText" "wrapper" => "elWithShavedText"
dollarshaveclub · Apr 17, 2019 · 1876911 · 1876911
1 parent 0e0365d
commit 1876911
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/src/shave.js b/src/shave.js
@@ -57,10 +57,13 @@ export default function shave (target, maxHeight, opts = {}) {
     el.insertAdjacentHTML('beforeend', charHtml)
     const diff = spaces ? ` ${words.slice(max).join(' ')}` : words.slice(max)
 
-    el.insertAdjacentHTML(
-      'beforeend',
-      `<span class="${classname}" style="display:none;">${diff}</span>`,
-    )
+    // https://stackoverflow.com/questions/476821/is-a-dom-text-node-guaranteed-to-not-be-interpreted-as-html
+    const shavedText = document.createTextNode(diff)
+    const elWithShavedText = document.createElement('span')
+    elWithShavedText.classList.add(classname)
+    elWithShavedText.style.display = 'none'
+    elWithShavedText.appendChild(shavedText)
+    el.insertAdjacentElement('beforeend', elWithShavedText)
 
     styles.height = heightStyle
     styles.maxHeight = maxHeightStyle