From 41d1110774df7e0e16ae7bfc94a30597818046c0 Mon Sep 17 00:00:00 2001 From: CJ Cenizal Date: Thu, 7 Dec 2017 14:07:28 -0800 Subject: [PATCH] Add XSS note to themes.js. --- src/ui/public/theme/theme.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/ui/public/theme/theme.js b/src/ui/public/theme/theme.js index 4d4317441ffa49e..b6393aea6856140 100644 --- a/src/ui/public/theme/theme.js +++ b/src/ui/public/theme/theme.js @@ -7,6 +7,10 @@ export function registerTheme(theme, styles) { export function applyTheme(newTheme) { currentTheme = newTheme; + + // NOTE: The use of innerHTML opens up to XSS attacks, so we can't support user-generated themes + // as long as this implementation is in use. Ideally we would use the webpack style-loader/useable + // to activate and deactivate themes, but that causes the optimize step to fail. document.getElementById('themeCss').innerHTML = themes[currentTheme]; }