From fe54bef107eb3f74873a4018f2ff49fa124c6a2e Mon Sep 17 00:00:00 2001 From: Joe Attardi Date: Wed, 24 Nov 2021 22:49:23 -0500 Subject: [PATCH] Add more HTML escaping --- src/categoryButtons.ts | 1 + src/emojiArea.ts | 6 ++++-- src/preview.ts | 2 +- src/search.ts | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/categoryButtons.ts b/src/categoryButtons.ts index d59b9ce4..81c123fb 100644 --- a/src/categoryButtons.ts +++ b/src/categoryButtons.ts @@ -1,4 +1,5 @@ import { TinyEmitter as Emitter } from 'tiny-emitter'; +import escape from 'escape-html'; import { CLASS_CATEGORY_BUTTONS, CLASS_CATEGORY_BUTTON } from './classes'; diff --git a/src/emojiArea.ts b/src/emojiArea.ts index 33facbdc..31669934 100644 --- a/src/emojiArea.ts +++ b/src/emojiArea.ts @@ -1,4 +1,5 @@ import { TinyEmitter as Emitter } from 'tiny-emitter'; +import escape from 'escape-html'; import emojiData from './data/emoji'; import { i18n as defaultI18n } from './i18n'; @@ -297,8 +298,9 @@ export class EmojiArea { emojis: Array ): void => { const name = createElement('h2', CLASS_CATEGORY_NAME); - name.innerHTML = - this.i18n.categories[category] || defaultI18n.categories[category]; + name.innerHTML = escape( + this.i18n.categories[category] || defaultI18n.categories[category] + ); this.emojis.appendChild(name); this.headers.push(name); diff --git a/src/preview.ts b/src/preview.ts index 0d6ec566..da6a2102 100644 --- a/src/preview.ts +++ b/src/preview.ts @@ -49,7 +49,7 @@ export class EmojiPreview { } this.emoji.innerHTML = content; - this.name.innerHTML = emoji.name; + this.name.innerHTML = escape(emoji.name); } hidePreview(): void { diff --git a/src/search.ts b/src/search.ts index a1c2f313..4652ed32 100644 --- a/src/search.ts +++ b/src/search.ts @@ -1,4 +1,5 @@ import { TinyEmitter as Emitter } from 'tiny-emitter'; +import escape from 'escape-html'; import * as icons from './icons'; @@ -40,7 +41,7 @@ class NotFoundMessage { container.appendChild(iconContainer); const messageContainer = createElement('h2'); - messageContainer.innerHTML = this.message; + messageContainer.innerHTML = escape(this.message); container.appendChild(messageContainer); return container;