Fix code scanning alert no. 1: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
ForkbombEu · Dec 13, 2024 · b5d6d12 · b5d6d12
1 parent 8ceadf2
commit b5d6d12
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/src/webcomponents.js b/src/webcomponents.js
@@ -6,6 +6,15 @@
 import { zencode_exec } from "zenroom";
 import { SS, LS, stringify } from "./utils";
 
+function escapeHtml(unsafe) {
+  return unsafe
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#039;");
+}
+
 export class Zencode extends HTMLElement {
   constructor() {
     super();
@@ -52,9 +61,9 @@ export class BrutalistCard extends HTMLElement {
   }
 
   render() {
-    const title = this.getAttribute("title") || "";
-    const content = this.getAttribute("content") || "";
-    const description = this.getAttribute("description") || "";
+    const title = escapeHtml(this.getAttribute("title") || "");
+    const content = escapeHtml(this.getAttribute("content") || "");
+    const description = escapeHtml(this.getAttribute("description") || "");
 
     const isHttps = window.location.protocol === "https:";