[runmode addon] Use textContent instead of innerHTML to clear elements
In general, assigning a plain string to the innerHTML property of an element can cause XSS vulnerabilities, and is thus considered as a violation by the Trusted Types web platform security mechanism. This commit addresses two such violations in CodeMirror by replacing them with semantically equivalent assignments to the textContent property. This is currently a blocker for CodeMirror users that want to enforce Trusted Types in their web application.
This commit is contained in:
parent
a6fdd560c7
commit
4ccf2bddfe
|
@ -31,7 +31,7 @@
|
|||
|
||||
var text = [];
|
||||
textContent(node, text);
|
||||
node.innerHTML = "";
|
||||
node.textContent = "";
|
||||
CodeMirror.runMode(text.join(""), mode, node);
|
||||
|
||||
node.className += " cm-s-default";
|
||||
|
|
|
@ -20,7 +20,7 @@ CodeMirror.runMode = function(string, modespec, callback, options) {
|
|||
var ie = /MSIE \d/.test(navigator.userAgent);
|
||||
var ie_lt9 = ie && (document.documentMode == null || document.documentMode < 9);
|
||||
var node = callback, col = 0;
|
||||
node.innerHTML = "";
|
||||
node.textContent = "";
|
||||
callback = function(text, style) {
|
||||
if (text == "\n") {
|
||||
// Emitting LF or CRLF on IE8 or earlier results in an incorrect display.
|
||||
|
|
Loading…
Reference in New Issue