From f8aea1e861074a062274527adb3fa92b34f74a74 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Tue, 9 Nov 2021 12:15:58 -0500
Subject: [PATCH] don't use innerHTML for sso handOffMessage (#1285)

---
 src/connectors/sso.ts | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/connectors/sso.ts b/src/connectors/sso.ts
index ef9383a213a..f4735ffe339 100644
--- a/src/connectors/sso.ts
+++ b/src/connectors/sso.ts
@@ -25,8 +25,11 @@ function initiateBrowserSso(code: string, state: string) {
     window.postMessage({ command: 'authResult', code: code, state: state }, '*');
     const handOffMessage = ('; ' + document.cookie).split('; ssoHandOffMessage=').pop().split(';').shift();
     document.cookie = 'ssoHandOffMessage=;SameSite=strict;max-age=0';
-    document.getElementById('content').innerHTML =
-        `<p>${handOffMessage}</p>`;
+    let content = document.getElementById('content');
+    content.innerHTML = '';
+    let p = document.createElement('p');
+    p.innerText = handOffMessage;
+    content.appendChild(p);
 }
 
 function extractFromRegex(s: string, regexString: string) {