Fix #1020 - XSS via innerHTML property (#1022)

2025-12-06 00:03:28 +00:00 · 2021-06-09 15:58:07 -04:00
parent fd328eef2a
commit fd683e9d71
2 changed files with 3 additions and 3 deletions
--- a/src/connectors/webauthn-fallback.ts
+++ b/src/connectors/webauthn-fallback.ts
@@ -104,7 +104,7 @@ async function initWebAuthn(obj: any) {
 function error(message: string) {
    const el = document.getElementById('msg');
    resetMsgBox(el);
-    el.innerHTML = message;
+    el.textContent = message;
    el.classList.add('alert');
    el.classList.add('alert-danger');
 }
@@ -114,7 +114,7 @@ function success(message: string) {
    const el = document.getElementById('msg');
    resetMsgBox(el);
-    el.innerHTML = message;
+    el.textContent = message;
    el.classList.add('alert');
    el.classList.add('alert-success');
 }
--- a/src/locales/en/messages.json
+++ b/src/locales/en/messages.json
@@ -3844,7 +3844,7 @@
    "message": "WebAuthn is not supported in this browser."
  },
  "webAuthnSuccess": {
-    "message": "<strong>WebAuthn verified successfully!</strong><br>You may close this tab."
+    "message": "WebAuthn verified successfully! You may close this tab."
  },
  "hintEqualsPassword": {
    "message": "Your password hint cannot be the same as your password."