fix: construct DOM nodes correctly #2256
Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses XSS (Cross-Site Scripting) security vulnerabilities in the rtMedia.js file by replacing potentially unsafe .html() methods with safer .text() methods and refactoring DOM manipulation code to use proper jQuery element creation and appending patterns.
Key Changes:
- Replaced
.html()with.text()for inserting user-facing text (moreText/lessText) to prevent XSS - Refactored ellipsis span creation to use secure jQuery element creation and
.text()instead of string concatenation with.html() - Restructured content display HTML construction to use proper DOM manipulation methods instead of string concatenation
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| var $moreLink = jQuery('<span><a href="javascript://nop/" class="morelink"></a></span>'); | ||
|
|
||
| $this.html(html); | ||
| $this.empty() | ||
| .append($shortContent) | ||
| .append($allContent) | ||
| .append($moreLink); | ||
|
|
||
| $this.find(".morelink").text(config.moreText); |
There was a problem hiding this comment.
The more link element is created without text content on line 1440, and then the text is set separately on line 1447 using a selector. This is inefficient and could cause a brief flicker where the link is empty. Consider setting the text immediately after creating the element before appending it to the DOM, or chain the text assignment before the append operations.
|
Unable to PHPCS or SVG scan one or more files due to error running PHPCS/SVG scanner:
The error may be temporary. If the error persists, please contact a human (commit-ID: ea1bc13). |
mi5t4n
changed the title
No description provided.