Skip to main content

XSS recommendation: Use innerText\textContent instead of innerHTML

I have created a Web Component for a requirement and I have received a The best way to handle this is by not injecting untrusted strings in this way. Instead, use node.innerText or node.textContent to inject the string- the browser will not parse this string at all, preventing an XSS attack. code review comment. I am still thinking about how to replace innerHTML to innerText or textContent.

Would the community have an input?

import RealBase from '../real-base';
import productCardTitleCss from '../../../css/_product-card-title.scss?inline';
import baseCss from '../../../css/_base.scss?inline';
const ESAPI = require('node-esapi');
class RealProductCardTitle extends RealBase {
  constructor() {
    super();
    this.defaultClass = 'real-product-card-title';
  }
  connectedCallback() {
    super.connectedCallback();
    this.render();
  }
  static get observedAttributes() {
    return ['heading', 'form'];
  }
  get heading() {
    return this.getAttribute('heading') || '';
  }
  set heading(value) {
    this.setAttribute('heading', value ? ESAPI.encoder().encodeForHTML(value) : value);
  }
  get form() {
    return this.getAttribute('form') || '';
  }
  set form(value) {
    this.setAttribute('form', value ? ESAPI.encoder().encodeForHTML(value) : value);
  }
  attributeChangedCallback() {
    this.render();
  }
  render() {
    const {
      heading,
      form,
    } = this;
    this.classList.add('real-block');
    this.classList.add(this.defaultClass);
    if (!this.shadowRoot) {
      this.attachShadow({ mode: 'open' });
    }
    //Recommendation for this line below
    this.shadowRoot.innerHTML = `
      <style>
        ${productCardTitleCss}
        ${baseCss}
      </style>
      <real-heading 
        class="real-product-card-title-heading" 
        input="${heading}">
      </real-heading>
      <div 
        class="real-product-card-title-attributes real-inline-block">
        ${form}
      </div>`;
  }
}
window.customElements.define('real-product-card-title', RealProductCardTitle);
Via Active questions tagged javascript - Stack Overflow https://ift.tt/aYqlT6Q

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

ValueError: X has 10 features, but LinearRegression is expecting 1 features as input

So, I am trying to predict the model but its throwing error like it has 10 features but it expacts only 1. So I am confused can anyone help me with it? more importantly its not working for me when my friend runs it. It works perfectly fine dose anyone know the reason about it? cv = KFold(n_splits = 10) all_loss = [] for i in range(9): # 1st for loop over polynomial orders poly_order = i X_train = make_polynomial(x, poly_order) loss_at_order = [] # initiate a set to collect loss for CV for train_index, test_index in cv.split(X_train): print('TRAIN:', train_index, 'TEST:', test_index) X_train_cv, X_test_cv = X_train[train_index], X_test[test_index] t_train_cv, t_test_cv = t[train_index], t[test_index] reg.fit(X_train_cv, t_train_cv) loss_at_order.append(np.mean((t_test_cv - reg.predict(X_test_cv))**2)) # collect loss at fold all_loss.append(np.mean(loss_at_order)) # collect loss at order plt.plot(np.log(al...
Post a Comment
Read more

Sorting large arrays of big numeric stings

I was solving bigSorting() problem from hackerrank: Consider an array of numeric strings where each string is a positive number with anywhere from to digits. Sort the array's elements in non-decreasing, or ascending order of their integer values and return the sorted array. I know it works as follows: def bigSorting(unsorted): return sorted(unsorted, key=int) But I didnt guess this approach earlier. Initially I tried below: def bigSorting(unsorted): int_unsorted = [int(i) for i in unsorted] int_sorted = sorted(int_unsorted) return [str(i) for i in int_sorted] However, for some of the test cases, it was showing time limit exceeded. Why is it so? PS: I dont know exactly what those test cases were as hacker rank does not reveal all test cases. source https://stackoverflow.com/questions/73007397/sorting-large-arrays-of-big-numeric-stings
Post a Comment
Read more

How to load Javascript with imported modules?

I am trying to import modules from tensorflowjs, and below is my code. test.html <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Document</title </head> <body> <script src="https://cdn.jsdelivr.net/npm/@tensorflow/tfjs@2.0.0/dist/tf.min.js"></script> <script type="module" src="./test.js"></script> </body> </html> test.js import * as tf from "./node_modules/@tensorflow/tfjs"; import {loadGraphModel} from "./node_modules/@tensorflow/tfjs-converter"; const MODEL_URL = './model.json'; const model = await loadGraphModel(MODEL_URL); const cat = document.getElementById('cat'); model.execute(tf.browser.fromPixels(cat)); Besides, I run the server using python -m http.server in my command prompt(Windows 10), and this is the error prompt in the console log of my browser: Failed to loa...
Post a Comment
Read more