From fd683e9d71a1327ef58d1b735036e003de6a0a3a Mon Sep 17 00:00:00 2001
From: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Date: Wed, 9 Jun 2021 15:58:07 -0400
Subject: [PATCH] Fix #1020 - XSS via innerHTML property (#1022)
---
src/connectors/webauthn-fallback.ts | 4 ++--
src/locales/en/messages.json | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/connectors/webauthn-fallback.ts b/src/connectors/webauthn-fallback.ts
index caffda43caa..7bd19353281 100644
--- a/src/connectors/webauthn-fallback.ts
+++ b/src/connectors/webauthn-fallback.ts
@@ -104,7 +104,7 @@ async function initWebAuthn(obj: any) {
function error(message: string) {
const el = document.getElementById('msg');
resetMsgBox(el);
- el.innerHTML = message;
+ el.textContent = message;
el.classList.add('alert');
el.classList.add('alert-danger');
}
@@ -114,7 +114,7 @@ function success(message: string) {
const el = document.getElementById('msg');
resetMsgBox(el);
- el.innerHTML = message;
+ el.textContent = message;
el.classList.add('alert');
el.classList.add('alert-success');
}
diff --git a/src/locales/en/messages.json b/src/locales/en/messages.json
index 149a47cba4f..cd03a666a66 100644
--- a/src/locales/en/messages.json
+++ b/src/locales/en/messages.json
@@ -3844,7 +3844,7 @@
"message": "WebAuthn is not supported in this browser."
},
"webAuthnSuccess": {
- "message": "WebAuthn verified successfully!
You may close this tab."
+ "message": "WebAuthn verified successfully! You may close this tab."
},
"hintEqualsPassword": {
"message": "Your password hint cannot be the same as your password."