don't use innerHTML for sso handOffMessage (#1285)

2025-12-15 07:43:35 +00:00 · 2021-11-09 12:15:58 -05:00
parent 5b6fb16591
commit f8aea1e861
1 changed files with 5 additions and 2 deletions
--- a/src/connectors/sso.ts
+++ b/src/connectors/sso.ts
@@ -25,8 +25,11 @@ function initiateBrowserSso(code: string, state: string) {
    window.postMessage({ command: 'authResult', code: code, state: state }, '*');
    const handOffMessage = ('; ' + document.cookie).split('; ssoHandOffMessage=').pop().split(';').shift();
    document.cookie = 'ssoHandOffMessage=;SameSite=strict;max-age=0';
-    document.getElementById('content').innerHTML =
-        `<p>${handOffMessage}</p>`;
+    let content = document.getElementById('content');
+    content.innerHTML = '';
+    let p = document.createElement('p');
+    p.innerText = handOffMessage;
+    content.appendChild(p);
 }

 function extractFromRegex(s: string, regexString: string) {