mirror/reveal.js
1
0
Fork 0
mirror of https://github.com/hakimel/reveal.js.git synced 2025-07-31 03:40:28 +02:00
Code Issues Releases Wiki Activity

Merge pull request #3548 from hackmdio/fix/xss-on-data-background-video-attribute

Browse Source 
fix: use `setAttribute` instead of `innerHTML` to prevent XSS
This commit is contained in:
Hakim El Hattab
2023-12-15 08:56:55 +01:00
committed by GitHub
parent 993b8f302a 89ab00a4a1
commit 767a67ee00
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
js/controllers/slidecontent.js
View File

@@ -142,13 +142,15 @@ export default class SlideContent {
// Support comma separated lists of video sources // Support comma separated lists of video sources
backgroundVideo.split( ',' ).forEach( source => { backgroundVideo.split( ',' ).forEach( source => {
const sourceElement = document.createElement( 'source' );
sourceElement.setAttribute( 'src', source );
let type = getMimeTypeFromFile( source ); let type = getMimeTypeFromFile( source );
if( type ) { if( type ) {
video.innerHTML += `<source src="${source}" type="${type}">`; sourceElement.setAttribute( 'type', type );
}
else {
video.innerHTML += `<source src="${source}">`;
} }
video.appendChild( sourceElement );
} ); } );
backgroundContent.appendChild( video ); backgroundContent.appendChild( video );