From 3dd616f6ffb8a10846420339c412d50fb122f2ac Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Fri, 17 Jun 2022 13:00:32 +0800
Subject: [PATCH] Use proper method for manipulating text

`innerText` is too powerful for the job here, use a more
restricted/secure way to manipulate text.

Related: #17211.
PR #17212.
---
 src/webui/www/private/scripts/download.js      | 2 +-
 src/webui/www/private/views/preferences.html   | 4 ++--
 src/webui/www/private/views/rssDownloader.html | 6 +++---
 src/webui/www/public/scripts/login.js          | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/webui/www/private/scripts/download.js b/src/webui/www/private/scripts/download.js
index a908f9768..f1a44e67e 100644
--- a/src/webui/www/private/scripts/download.js
+++ b/src/webui/www/private/scripts/download.js
@@ -106,7 +106,7 @@ window.qBittorrent.Download = (function() {
         }
         else {
             item.nextElementSibling.hidden = true;
-            const text = item.options[item.selectedIndex].innerHTML;
+            const text = item.options[item.selectedIndex].textContent;
             item.nextElementSibling.value = text;
 
             if ($('autoTMM').selectedIndex == 1) {
diff --git a/src/webui/www/private/views/preferences.html b/src/webui/www/private/views/preferences.html
index ed00e514f..c5502b820 100644
--- a/src/webui/www/private/views/preferences.html
+++ b/src/webui/www/private/views/preferences.html
@@ -1374,7 +1374,7 @@
             }
             else {
                 item.nextElementSibling.hidden = true;
-                const text = item.options[item.selectedIndex].innerHTML;
+                const text = item.options[item.selectedIndex].textContent;
                 item.nextElementSibling.value = text;
             }
         };
@@ -1397,7 +1397,7 @@
             $('cb_watch_' + pos).setProperty('value', sel);
             if (disableInput) {
                 const elt = $('cb_watch_' + pos);
-                other = elt.options[elt.selectedIndex].innerHTML;
+                other = elt.options[elt.selectedIndex].textContent;
             }
             $('cb_watch_txt_' + pos).setProperty('value', other);
 
diff --git a/src/webui/www/private/views/rssDownloader.html b/src/webui/www/private/views/rssDownloader.html
index e0f965504..28eb1d06c 100644
--- a/src/webui/www/private/views/rssDownloader.html
+++ b/src/webui/www/private/views/rssDownloader.html
@@ -682,7 +682,7 @@ Supports the formats: S01E01, 1x1, 2017.12.31 and 31.12.2017 (Date formats also
                 $('savetoDifferentDir').checked = false;
                 $('saveToText').value = '';
                 $('ignoreDaysValue').value = 0;
-                $('lastMatchText').innerHTML = 'QBT_TR(Last Match: Unknown)QBT_TR[CONTEXT=AutomatedRssDownloader]';
+                $('lastMatchText').textContent = 'QBT_TR(Last Match: Unknown)QBT_TR[CONTEXT=AutomatedRssDownloader]';
                 $('addPausedCombobox').value = 'default';
                 $('contentLayoutCombobox').value = 'Default';
                 rssDownloaderFeedSelectionTable.clear();
@@ -724,10 +724,10 @@ Supports the formats: S01E01, 1x1, 2017.12.31 and 31.12.2017 (Date formats also
                 if (rulesList[ruleName].lastMatch !== '') {
                     let timeDiffInMs = new Date().getTime() - new Date(rulesList[ruleName].lastMatch).getTime();
                     let daysAgo = Math.floor(timeDiffInMs / (1000 * 60 * 60 * 24)).toString();
-                    $('lastMatchText').innerHTML = ' QBT_TR(Last Match: %1 days ago)QBT_TR[CONTEXT=AutomatedRssDownloader]'.replace('%1', daysAgo);
+                    $('lastMatchText').textContent = ' QBT_TR(Last Match: %1 days ago)QBT_TR[CONTEXT=AutomatedRssDownloader]'.replace('%1', daysAgo);
                 }
                 else {
-                    $('lastMatchText').innerHTML = 'QBT_TR(Last Match: Unknown)QBT_TR[CONTEXT=AutomatedRssDownloader]';
+                    $('lastMatchText').textContent = 'QBT_TR(Last Match: Unknown)QBT_TR[CONTEXT=AutomatedRssDownloader]';
                 }
 
                 if (rulesList[ruleName].addPaused === null)
diff --git a/src/webui/www/public/scripts/login.js b/src/webui/www/public/scripts/login.js
index 175e0012c..21ccc6ffa 100644
--- a/src/webui/www/public/scripts/login.js
+++ b/src/webui/www/public/scripts/login.js
@@ -48,11 +48,11 @@ function submitLoginForm() {
             if ((xhr.status === 200) && (xhr.responseText === "Ok."))
                 location.reload(true);
             else
-                errorMsgElement.innerHTML = 'QBT_TR(Invalid Username or Password.)QBT_TR[CONTEXT=HttpServer]';
+                errorMsgElement.textContent = 'QBT_TR(Invalid Username or Password.)QBT_TR[CONTEXT=HttpServer]';
         }
     });
     xhr.addEventListener('error', function() {
-        errorMsgElement.innerHTML = (xhr.responseText !== "")
+        errorMsgElement.textContent = (xhr.responseText !== "")
             ? xhr.responseText
             : 'QBT_TR(Unable to log in, qBittorrent is probably unreachable.)QBT_TR[CONTEXT=HttpServer]';
     });