WebUI: migrate away from inline HTML code

`innerHTML` & `outerHTML` setter will more or less evaluate the value which could be used to inject malicious code. So replace them with safer alternatives. PR #21163.
2025-07-06 21:21:24 -07:00 · 2024-08-10 12:55:48 +08:00 · 2024-08-10 12:55:48 +08:00 · 5afeecbf18
commit 5afeecbf18
parent 4570c0ef9e
7 changed files with 201 additions and 114 deletions
--- a/src/webui/www/private/scripts/dynamicTable.js
+++ b/src/webui/www/private/scripts/dynamicTable.js
@ -333,10 +333,18 @@ window.qBittorrent.DynamicTable ??= (() => {
            });

            const createLi = function(columnName, text) {
-                const html = '<a href="#' + columnName + '" ><img src="images/checked-completed.svg"/>' + window.qBittorrent.Misc.escapeHtml(text) + "</a>";
-                return new Element("li", {
-                    html: html
-                });
+                const anchor = document.createElement("a");
+                anchor.href = `#${columnName}`;
+                anchor.textContent = text;
+
+                const img = document.createElement("img");
+                img.src = "images/checked-completed.svg";
+                anchor.prepend(img);
+
+                const listItem = document.createElement("li");
+                listItem.appendChild(anchor);
+
+                return listItem;
            };

            const actions = {};
@ -2095,8 +2103,7 @@ window.qBittorrent.DynamicTable ??= (() => {
                            },
                            id: dirImgId
                        });
-                        const html = dirImg.outerHTML + span.outerHTML;
-                        td.innerHTML = html;
+                        td.replaceChildren(dirImg, span);
                    }
                }
                else { // is file
@ -2108,7 +2115,7 @@ window.qBittorrent.DynamicTable ??= (() => {
                            "margin-left": ((node.depth + 1) * 20)
                        }
                    });
-                    td.innerHTML = span.outerHTML;
+                    td.replaceChildren(span);
                }
            };

@ -2122,7 +2129,7 @@ window.qBittorrent.DynamicTable ??= (() => {
                    text: value,
                    id: fileNameRenamedId,
                });
-                td.innerHTML = span.outerHTML;
+                td.replaceChildren(span);
            };
        },

@ -2428,8 +2435,7 @@ window.qBittorrent.DynamicTable ??= (() => {
                            },
                            id: dirImgId
                        });
-                        const html = collapseIcon.outerHTML + dirImg.outerHTML + span.outerHTML;
-                        td.innerHTML = html;
+                        td.replaceChildren(collapseIcon, dirImg, span);
                    }
                }
                else {
@ -2441,7 +2447,7 @@ window.qBittorrent.DynamicTable ??= (() => {
                            "margin-left": ((node.depth + 1) * 20)
                        }
                    });
-                    td.innerHTML = span.outerHTML;
+                    td.replaceChildren(span);
                }
            };