Replace innerHTML() with createElement() and appendChild() for security.

MagicMirrorOrg · Sep 20, 2018 · cad7deb · cad7deb
1 parent 40725aa
commit cad7deb
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/modules/default/compliments/compliments.js b/modules/default/compliments/compliments.js
@@ -157,10 +157,15 @@ Module.register("compliments", {
 	getDom: function() {
 		var complimentText = this.randomCompliment();
 
-		var compliment = document.createTextNode(complimentText);
 		var wrapper = document.createElement("div");
 		wrapper.className = this.config.classes ? this.config.classes : "thin xlarge bright";
-		wrapper.innerHTML = complimentText.replace(/\n/g, '<br>');
+		complimentText.split("\n").forEach(function(line, index) {
+			if (index > 0) {
+				wrapper.appendChild(document.createElement("br"));
+			}
+			wrapper.appendChild(document.createTextNode(line));
+
+		});
 
 		return wrapper;
 	},