* Sanitize user-input on file name
- Sanitize user-input before it get passed into the DOM.
- Prevent things like "<iframe onload=alert(1)></iframe>" from being
executed. This isn't a XSS attack as the server seems to be santizing
the path as well.
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
+import {htmlEscape} from 'escape-goat';
import {initMarkupContent} from '../markup/content.js';
import {createCodeEditor} from './codeeditor.js';
value = parts[i];
if (i < parts.length - 1) {
if (value.length) {
- $(`<span class="section"><a href="#">${value}</a></span>`).insertBefore($(this));
+ $(`<span class="section"><a href="#">${htmlEscape(value)}</a></span>`).insertBefore($(this));
$('<div class="divider"> / </div>').insertBefore($(this));
}
} else {