fix: replace a few innerHTML by more secure alternatives (#885)

6pac · Oct 27, 2023 · 53ab293 · 53ab293
1 parent a08b0f8
commit 53ab293
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 8 deletions.
diff --git a/src/controls/slick.columnmenu.ts b/src/controls/slick.columnmenu.ts
@@ -81,7 +81,7 @@ export class SlickColumnMenu {
     const spanCloseElm = document.createElement('span');
     spanCloseElm.className = 'close';
     spanCloseElm.ariaHidden = 'true';
-    spanCloseElm.innerHTML = '&times;';
+    spanCloseElm.textContent = '×';
     buttonElm.appendChild(spanCloseElm);
     this._menuElm.appendChild(buttonElm);
 

diff --git a/src/controls/slick.columnpicker.ts b/src/controls/slick.columnpicker.ts
@@ -82,7 +82,7 @@ export class SlickColumnPicker {
     const spanCloseElm = document.createElement('span');
     spanCloseElm.className = 'close';
     spanCloseElm.ariaHidden = 'true';
-    spanCloseElm.innerHTML = '&times;';
+    spanCloseElm.textContent = '×';
     buttonElm.appendChild(spanCloseElm);
     this._menuElm.appendChild(buttonElm);
 

diff --git a/src/controls/slick.gridmenu.ts b/src/controls/slick.gridmenu.ts
@@ -315,7 +315,7 @@ export class SlickGridMenu {
       const spanCloseElm = document.createElement('span');
       spanCloseElm.className = 'close';
       spanCloseElm.ariaHidden = 'true';
-      spanCloseElm.innerHTML = '&times;';
+      spanCloseElm.textContent = '×';
       closeButtonElm.appendChild(spanCloseElm);
       menuElm.appendChild(closeButtonElm);
     }

diff --git a/src/controls/slick.pager.ts b/src/controls/slick.pager.ts
@@ -61,7 +61,7 @@ export class SlickGridPager {
   destroy() {
     this.setPageSize(0);
     this._bindingEventService.unbindAll();
-    this._container.innerHTML = '';
+    Utils.emptyElement(this._container);
   }
 
   protected getNavState() {

diff --git a/src/plugins/slick.contextmenu.ts b/src/plugins/slick.contextmenu.ts
@@ -348,7 +348,7 @@ export class SlickContextMenu implements SlickPlugin {
       const spanCloseElm = document.createElement('span');
       spanCloseElm.className = 'close';
       spanCloseElm.ariaHidden = 'true';
-      spanCloseElm.innerHTML = '&times;';
+      spanCloseElm.textContent = '×';
       closeButtonElm.appendChild(spanCloseElm);
     }
 

diff --git a/src/slick.grid.ts b/src/slick.grid.ts
@@ -2971,7 +2971,7 @@ export class SlickGrid<TData = any, C extends Column<TData> = Column<TData>, O e
         }
       }
 
-      cellEl.innerHTML = maxText;
+      cellEl.textContent = maxText;
       len = cellEl.offsetWidth;
 
       rowEl.remove();
@@ -4085,7 +4085,7 @@ export class SlickGrid<TData = any, C extends Column<TData> = Column<TData>, O e
         formatterResult = this.getFormatter(row, m)(row, columnIdx, this.getDataItemValueForColumn(d, m), m, d, this as unknown as SlickGridModel);
         this.applyFormatResultToCellNode(formatterResult, node as HTMLDivElement);
       } else {
-        node.innerHTML = '';
+        Utils.emptyElement(node);
       }
     }
 
@@ -5766,7 +5766,7 @@ export class SlickGrid<TData = any, C extends Column<TData> = Column<TData>, O e
 
     // don't clear the cell if a custom editor is passed through
     if (!editor && !useEditor.suppressClearOnEdit) {
-      this.activeCellNode.innerHTML = '';
+      Utils.emptyElement(this.activeCellNode);
     }
 
     let metadata = (this.data as CustomDataView<TData>)?.getItemMetadata?.(this.activeRow);