Skip to main content

XSS recommendation: Use innerText\textContent instead of innerHTML

I have created a Web Component for a requirement and I have received a The best way to handle this is by not injecting untrusted strings in this way. Instead, use node.innerText or node.textContent to inject the string- the browser will not parse this string at all, preventing an XSS attack. code review comment. I am still thinking about how to replace innerHTML to innerText or textContent.

Would the community have an input?

import RealBase from '../real-base';
import productCardTitleCss from '../../../css/_product-card-title.scss?inline';
import baseCss from '../../../css/_base.scss?inline';
const ESAPI = require('node-esapi');
class RealProductCardTitle extends RealBase {
  constructor() {
    super();
    this.defaultClass = 'real-product-card-title';
  }
  connectedCallback() {
    super.connectedCallback();
    this.render();
  }
  static get observedAttributes() {
    return ['heading', 'form'];
  }
  get heading() {
    return this.getAttribute('heading') || '';
  }
  set heading(value) {
    this.setAttribute('heading', value ? ESAPI.encoder().encodeForHTML(value) : value);
  }
  get form() {
    return this.getAttribute('form') || '';
  }
  set form(value) {
    this.setAttribute('form', value ? ESAPI.encoder().encodeForHTML(value) : value);
  }
  attributeChangedCallback() {
    this.render();
  }
  render() {
    const {
      heading,
      form,
    } = this;
    this.classList.add('real-block');
    this.classList.add(this.defaultClass);
    if (!this.shadowRoot) {
      this.attachShadow({ mode: 'open' });
    }
    //Recommendation for this line below
    this.shadowRoot.innerHTML = `
      <style>
        ${productCardTitleCss}
        ${baseCss}
      </style>
      <real-heading 
        class="real-product-card-title-heading" 
        input="${heading}">
      </real-heading>
      <div 
        class="real-product-card-title-attributes real-inline-block">
        ${form}
      </div>`;
  }
}
window.customElements.define('real-product-card-title', RealProductCardTitle);
Via Active questions tagged javascript - Stack Overflow https://ift.tt/aYqlT6Q
Labels:

Comments

Post a Comment

Popular posts from this blog

How to show number of registered users in Laravel based on usertype?

i'm trying to display data from the database in the admin dashboard i used this: <?php use Illuminate\Support\Facades\DB; $users = DB::table('users')->count(); echo $users; ?> and i have successfully get the correct data from the database but what if i want to display a specific data for example in this user table there is "usertype" that specify if the user is normal user or admin i want to user the same code above but to display a specific usertype i tried this: <?php use Illuminate\Support\Facades\DB; $users = DB::table('users')->count()->WHERE usertype =admin; echo $users; ?> but it didn't work, what am i doing wrong? source https://stackoverflow.com/questions/68199726/how-to-show-number-of-registered-users-in-laravel-based-on-usertype
Post a Comment
Read more

Why is my reports service not connecting?

I am trying to pull some data from a Postgres database using Node.js and node-postures but I can't figure out why my service isn't connecting. my routes/index.js file: const express = require('express'); const router = express.Router(); const ordersCountController = require('../controllers/ordersCountController'); const ordersController = require('../controllers/ordersController'); const weeklyReportsController = require('../controllers/weeklyReportsController'); router.get('/orders_count', ordersCountController); router.get('/orders', ordersController); router.get('/weekly_reports', weeklyReportsController); module.exports = router; My controllers/weeklyReportsController.js file: const weeklyReportsService = require('../services/weeklyReportsService'); const weeklyReportsController = async (req, res) => { try { const data = await weeklyReportsService; res.json({data}) console
Post a Comment
Read more

How to split a rinex file if I need 24 hours data

Trying to divide rinex file using the command gfzrnx but getting this error. While doing that getting this error msg 'gfzrnx' is not recognized as an internal or external command Trying to split rinex file using the command gfzrnx. also install'gfzrnx'. my doubt is I need to run this program in 'gfzrnx' or in 'cmdprompt'. I am expecting a rinex file with 24 hrs or 1 day data.I Have 48 hrs data in RINEX format. Please help me to solve this issue. source https://stackoverflow.com/questions/75385367/how-to-split-a-rinex-file-if-i-need-24-hours-data
Post a Comment
Read more