From d68aed3fea36d7de9e2d9370a98395537fe48457 Mon Sep 17 00:00:00 2001
From: Vidar Tonaas Fauske <vidartf@gmail.com>
Date: Wed, 29 Sep 2021 11:02:04 +0100
Subject: [PATCH] Replace innerHTML with innerText

For any content where the user can potentially influence the content.
---
 packages/labextension/src/widget.ts | 6 ++++--
 packages/nbdime/src/common/util.ts  | 2 +-
 packages/webapp/src/app/diff.ts     | 7 +++++--
 packages/webapp/src/app/merge.ts    | 5 ++++-
 4 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/packages/labextension/src/widget.ts b/packages/labextension/src/widget.ts
index 20690b81..f9972421 100644
--- a/packages/labextension/src/widget.ts
+++ b/packages/labextension/src/widget.ts
@@ -241,9 +241,11 @@ namespace Private {
         <button class="nbdime-export" style="display: none">Export diff</button>
       </div>
       <div class=nbdime-header-banner>
-        <span class="nbdime-header-base">${baseLabel}</span>
-        <span class="nbdime-header-remote">${remoteLabel}</span>
+        <span class="nbdime-header-base"></span>
+        <span class="nbdime-header-remote"></span>
       </div>`;
+    (node.getElementsByClassName("nbdime-header-base")[0] as HTMLSpanElement).innerText = baseLabel;
+    (node.getElementsByClassName("nbdime-header-remote")[0] as HTMLSpanElement).innerText = remoteLabel;
 
     return new Widget({node});
   }
diff --git a/packages/nbdime/src/common/util.ts b/packages/nbdime/src/common/util.ts
index 9d118c7e..7704246a 100644
--- a/packages/nbdime/src/common/util.ts
+++ b/packages/nbdime/src/common/util.ts
@@ -298,7 +298,7 @@ function buildSelect(options: string[], select?: HTMLSelectElement): HTMLSelectE
   }
   for (let option of options) {
     let opt = document.createElement('option');
-    opt.value = opt.innerHTML = option;
+    opt.value = opt.innerText = option;
     select.appendChild(opt);
   }
   return select;
diff --git a/packages/webapp/src/app/diff.ts b/packages/webapp/src/app/diff.ts
index e84e3e2f..7a09e436 100644
--- a/packages/webapp/src/app/diff.ts
+++ b/packages/webapp/src/app/diff.ts
@@ -182,11 +182,14 @@ function onDiffRequestCompleted(data: any) {
  */
 function onDiffRequestFailed(response: string) {
   console.log('Diff request failed.');
-  let root = document.getElementById('nbdime-root');
+  const root = document.getElementById('nbdime-root');
   if (!root) {
     throw new Error('Missing root element "nbidme-root"');
   }
-  root.innerHTML = '<pre>' + response + '</pre>';
+  const pre = document.createElement('pre');
+  pre.innerText = response;
+  root.innerHTML = '';
+  root.appendChild(pre);
   diffWidget = null;
   toggleSpinner(false);
 }
diff --git a/packages/webapp/src/app/merge.ts b/packages/webapp/src/app/merge.ts
index b31f77cd..d8e46ee9 100644
--- a/packages/webapp/src/app/merge.ts
+++ b/packages/webapp/src/app/merge.ts
@@ -177,7 +177,10 @@ function onMergeRequestFailed(response: string) {
   if (!root) {
     throw new Error('Missing root element "nbidme-root"');
   }
-  root.innerHTML = '<pre>' + response + '</pre>';
+  const pre = document.createElement('pre');
+  pre.innerText = response;
+  root.innerHTML = '';
+  root.appendChild(pre);
   mergeWidget = null;
   toggleSpinner(false);
 }