From 1876911e423c00fdda643ef724d956b3d324d5c2 Mon Sep 17 00:00:00 2001
From: digitalcraft <jeff@digital8.com.au>
Date: Wed, 17 Apr 2019 15:39:52 +1000
Subject: [PATCH] Use createTextNode() to avoid possible XSS (#145)

* Use createTextNode() to avoid possible XSS

For reference: https://stackoverflow.com/questions/476821/is-a-dom-text-node-guaranteed-to-not-be-interpreted-as-html
For XSS Example: https://jsfiddle.net/32795mpy/

* delete whitespace for CI

* update variable names

"hiddenText" => "shavedText"
"wrapper" =>  "elWithShavedText"
---
 src/shave.js | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/shave.js b/src/shave.js
index 5435c035..cfc55f57 100644
--- a/src/shave.js
+++ b/src/shave.js
@@ -57,10 +57,13 @@ export default function shave (target, maxHeight, opts = {}) {
     el.insertAdjacentHTML('beforeend', charHtml)
     const diff = spaces ? ` ${words.slice(max).join(' ')}` : words.slice(max)
 
-    el.insertAdjacentHTML(
-      'beforeend',
-      `<span class="${classname}" style="display:none;">${diff}</span>`,
-    )
+    // https://stackoverflow.com/questions/476821/is-a-dom-text-node-guaranteed-to-not-be-interpreted-as-html
+    const shavedText = document.createTextNode(diff)
+    const elWithShavedText = document.createElement('span')
+    elWithShavedText.classList.add(classname)
+    elWithShavedText.style.display = 'none'
+    elWithShavedText.appendChild(shavedText)
+    el.insertAdjacentElement('beforeend', elWithShavedText)
 
     styles.height = heightStyle
     styles.maxHeight = maxHeightStyle