Merge pull request #3548 from hackmdio/fix/xss-on-data-background-vid…

…eo-attribute fix: use `setAttribute` instead of `innerHTML` to prevent XSS
hakimel · Dec 15, 2023 · 767a67e · 767a67e
2 parents 993b8f3 + 89ab00a
commit 767a67e
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/js/controllers/slidecontent.js b/js/controllers/slidecontent.js
@@ -142,13 +142,15 @@ export default class SlideContent {
 
 					// Support comma separated lists of video sources
 					backgroundVideo.split( ',' ).forEach( source => {
+						const sourceElement = document.createElement( 'source' );
+						sourceElement.setAttribute( 'src', source );
+
 						let type = getMimeTypeFromFile( source );
 						if( type ) {
-							video.innerHTML += `<source src="${source}" type="${type}">`;
-						}
-						else {
-							video.innerHTML += `<source src="${source}">`;
+							sourceElement.setAttribute( 'type', type );
 						}
+
+						video.appendChild( sourceElement );
 					} );
 
 					backgroundContent.appendChild( video );