Skip to main content

XSS recommendation: Use innerText\textContent instead of innerHTML

I have created a Web Component for a requirement and I have received a The best way to handle this is by not injecting untrusted strings in this way. Instead, use node.innerText or node.textContent to inject the string- the browser will not parse this string at all, preventing an XSS attack. code review comment. I am still thinking about how to replace innerHTML to innerText or textContent.

Would the community have an input?

import RealBase from '../real-base';
import productCardTitleCss from '../../../css/_product-card-title.scss?inline';
import baseCss from '../../../css/_base.scss?inline';
const ESAPI = require('node-esapi');
class RealProductCardTitle extends RealBase {
  constructor() {
    super();
    this.defaultClass = 'real-product-card-title';
  }
  connectedCallback() {
    super.connectedCallback();
    this.render();
  }
  static get observedAttributes() {
    return ['heading', 'form'];
  }
  get heading() {
    return this.getAttribute('heading') || '';
  }
  set heading(value) {
    this.setAttribute('heading', value ? ESAPI.encoder().encodeForHTML(value) : value);
  }
  get form() {
    return this.getAttribute('form') || '';
  }
  set form(value) {
    this.setAttribute('form', value ? ESAPI.encoder().encodeForHTML(value) : value);
  }
  attributeChangedCallback() {
    this.render();
  }
  render() {
    const {
      heading,
      form,
    } = this;
    this.classList.add('real-block');
    this.classList.add(this.defaultClass);
    if (!this.shadowRoot) {
      this.attachShadow({ mode: 'open' });
    }
    //Recommendation for this line below
    this.shadowRoot.innerHTML = `
      <style>
        ${productCardTitleCss}
        ${baseCss}
      </style>
      <real-heading 
        class="real-product-card-title-heading" 
        input="${heading}">
      </real-heading>
      <div 
        class="real-product-card-title-attributes real-inline-block">
        ${form}
      </div>`;
  }
}
window.customElements.define('real-product-card-title', RealProductCardTitle);
Via Active questions tagged javascript - Stack Overflow https://ift.tt/aYqlT6Q
Labels:

Comments

Post a Comment

Popular posts from this blog

Confusion between commands.Bot and discord.Client | Which one should I use?

Whenever you look at YouTube tutorials or code from this website there is a real variation. Some developers use client = discord.Client(intents=intents) while the others use bot = commands.Bot(command_prefix="something", intents=intents) . Now I know slightly about the difference but I get errors from different places from my code when I use either of them and its confusing. Especially since there has a few changes over the years in discord.py it is hard to find the real difference. I tried sticking to discord.Client then I found that there are more features in commands.Bot . Then I found errors when using commands.Bot . An example of this is: When I try to use commands.Bot client = commands.Bot(command_prefix=">",intents=intents) async def load(): for filename in os.listdir("./Cogs"): if filename.endswith(".py"): client.load_extension(f"Cogs.{filename[:-3]}") The above doesnt giveany response from my Cogs ...
Post a Comment
Read more

How to show number of registered users in Laravel based on usertype?

i'm trying to display data from the database in the admin dashboard i used this: <?php use Illuminate\Support\Facades\DB; $users = DB::table('users')->count(); echo $users; ?> and i have successfully get the correct data from the database but what if i want to display a specific data for example in this user table there is "usertype" that specify if the user is normal user or admin i want to user the same code above but to display a specific usertype i tried this: <?php use Illuminate\Support\Facades\DB; $users = DB::table('users')->count()->WHERE usertype =admin; echo $users; ?> but it didn't work, what am i doing wrong? source https://stackoverflow.com/questions/68199726/how-to-show-number-of-registered-users-in-laravel-based-on-usertype
Post a Comment
Read more

Why is my reports service not connecting?

I am trying to pull some data from a Postgres database using Node.js and node-postures but I can't figure out why my service isn't connecting. my routes/index.js file: const express = require('express'); const router = express.Router(); const ordersCountController = require('../controllers/ordersCountController'); const ordersController = require('../controllers/ordersController'); const weeklyReportsController = require('../controllers/weeklyReportsController'); router.get('/orders_count', ordersCountController); router.get('/orders', ordersController); router.get('/weekly_reports', weeklyReportsController); module.exports = router; My controllers/weeklyReportsController.js file: const weeklyReportsService = require('../services/weeklyReportsService'); const weeklyReportsController = async (req, res) => { try { const data = await weeklyReportsService; res.json({data}) console...
Post a Comment
Read more