From fd8f25916b025a92b1b8349ef9d0acdb832a9e8e Mon Sep 17 00:00:00 2001 From: jvoisin Date: Mon, 11 Mar 2024 01:16:36 +0100 Subject: [PATCH] First steps towards trusted-types support Refactor away some trival usages of `.innerHTML`. Unfortunately, there is no way to enabled trusted-types in report-only mode via `` tags, see https://github.com/w3c/webappsec-csp/issues/277 --- internal/ui/static/js/app.js | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/internal/ui/static/js/app.js b/internal/ui/static/js/app.js index 9764d3f6..658b869c 100644 --- a/internal/ui/static/js/app.js +++ b/internal/ui/static/js/app.js @@ -114,7 +114,7 @@ function handleSubmitButtons() { let button = element.querySelector("button"); if (button) { - button.innerHTML = button.dataset.labelLoading; + button.textContent = button.dataset.labelLoading; button.disabled = true; } }; @@ -193,7 +193,7 @@ function toggleEntryStatus(element, toasting) { let currentStatus = link.dataset.value; let newStatus = currentStatus === "read" ? "unread" : "read"; - link.querySelector("span").innerHTML = link.dataset.labelLoading; + link.querySelector("span").textContent = link.dataset.labelLoading; updateEntriesStatus([entryID], newStatus, () => { let iconElement, label; @@ -352,12 +352,13 @@ function handleFetchOriginalContent() { return; } - let previousInnerHTML = element.innerHTML; + let previousElement = element.cloneNode(true) element.innerHTML = '' + element.dataset.labelLoading + ''; let request = new RequestBuilder(element.dataset.fetchContentUrl); request.withCallback((response) => { - element.innerHTML = previousInnerHTML; + element.textContent = ''; + element.appendChild(previousElement); response.json().then((data) => { if (data.hasOwnProperty("content") && data.hasOwnProperty("reading_time")) {