Preface:
I don't think that this is too big of a problem it's just something that I noticed and just felt that there was a better way of doing this.
How to reproduce:
- Go to settings of Canvas+
- Add a custom link by pressing new.
- In the name type your HTML
Examples:
- <h 1>foobar</h 1>
- <img src=x onerror=alert('Injected!')>
- Now the course should have a link which uses the HTML as the name.
What I think is the cause of the problem:
My guess on why this happens is that on line 21 of ./js/custom-link.js, the name for the link is set using innerHTML instead of using textContent. Here's an article from GeeksForGeeks which helped explain to me the difference https://www.geeksforgeeks.org/why-is-it-better-to-use-textcontent-instead-of-innerhtml/. There is some HTML before injecting the link name though so maybe just inject it as textContent after that line?
Preface:
I don't think that this is too big of a problem it's just something that I noticed and just felt that there was a better way of doing this.
How to reproduce:
Examples:
What I think is the cause of the problem:
My guess on why this happens is that on line 21 of ./js/custom-link.js, the name for the link is set using innerHTML instead of using textContent. Here's an article from GeeksForGeeks which helped explain to me the difference https://www.geeksforgeeks.org/why-is-it-better-to-use-textcontent-instead-of-innerhtml/. There is some HTML before injecting the link name though so maybe just inject it as textContent after that line?