From 40844bb49b8705894bfa08762d691e782eb4e6d7 Mon Sep 17 00:00:00 2001 From: Lorenzo Cesana Date: Wed, 27 Apr 2016 18:01:21 +0200 Subject: [PATCH] Use textContent instead of innerHTML Using textContent will avoid the possibility of cross site scripting and HTML injection --- paper-datatable.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/paper-datatable.html b/paper-datatable.html index d1c8907..7575c97 100644 --- a/paper-datatable.html +++ b/paper-datatable.html @@ -629,7 +629,7 @@ }else{ if(cell.instance) delete cell.instance; - cell.querySelector('span').innerHTML = cell.dataColumn._formatValue(data) + cell.querySelector('span').textContent = cell.dataColumn._formatValue(data) //cell.textContent = data; } } @@ -677,7 +677,7 @@ cell.instance.notifyPath(instanceValuePath, change.value); } if(!cell.instance || cell.instanceType == 'dialog'){ - cell.querySelector('span').innerHTML = this._columns[i]._formatValue(this.get([object, rowKey, prop])); + cell.querySelector('span').textContent = this._columns[i]._formatValue(this.get([object, rowKey, prop])); } } if(cell.instance){