fix XSS injection possible in comment

d1b98ace · Jonas Leder · 83ab2147 · d1b98ace
Commit d1b98ace authored 3 years ago by Jonas Leder
--- a/js/customElements/commentsDisplay.js
+++ b/js/customElements/commentsDisplay.js
@@ -10,15 +10,28 @@ class commentsDisplay extends HTMLElement {
                if (xhr.status === 200) {
                    let comments = JSON.parse(xhr.responseText);
                    comments.forEach((element) => {
-                        this.innerHTML += `
-                        <h3 class="commentTitle">${element["name"]}</h3>
-                        <div class="comment">
-                            <img src="${element["gravatarURL"]}">
-                            <article class="commentArticle">
-                                <p class="commentText">${element["comment"]}</p>
-                            </article>
-                        </div>
-                    `;
+                        const h3 = document.createElement("h3");
+                        h3.classList.add("commentTitle");
+                        h3.innerText = element["name"];
+                        this.appendChild(h3);
+
+                        const commentDiv = document.createElement("div");
+                        commentDiv.classList.add("comment");
+                        this.appendChild(commentDiv);
+
+                        const image = document.createElement("img");
+                        image.src = element["gravatarURL"];
+                        commentDiv.appendChild(image);
+
+                        const article = document.createElement("article");
+                        article.classList.add("commentArticle");
+                        commentDiv.appendChild(article);
+
+                        const commentText = document.createElement("p");
+                        commentText.classList.add("commentText");
+                        commentText.innerText = element["comment"];
+                        article.appendChild(commentText);
+
                    });
                } else {
                    let p = document.createElement("p");
@@ -33,4 +46,4 @@ class commentsDisplay extends HTMLElement {
    }
 }

-customElements.define("jl-comments_display", commentsDisplay);
\ No newline at end of file
+customElements.define("jl-comments_display", commentsDisplay);