Use textContent instead of innerHTML

David-Mulder / paper-datatable

A material design implementation of a data table.

GNU General Public License v3.0

237 stars 92 forks source link

Use textContent instead of innerHTML #108

Open theboolean opened 8 years ago

theboolean commented 8 years ago

Using innerHTML will expose the library to the possibility of cross site scripting and HTML injection, textContent will instead use string passed as-is without parsing it as HTML. Note that textContent is the default behaviour of polymer.

cc @leogr that helped me discovering and fixing this issue.

theboolean commented 7 years ago

@David-Mulder any news about this?