Since innerHTML is currently used unsanitized, it is possible to execute arbitrary Javascript from the the response returned from the AJAX request. This might be a trusted URL, but there is no guarantee of it's validity.
Added a check to ensure an <svg> element is returned in the AJAX response to prevent XSS attacks
Since
innerHTMLis currently used unsanitized, it is possible to execute arbitrary Javascript from the the response returned from the AJAX request. This might be a trusted URL, but there is no guarantee of it's validity.Added a check to ensure an
<svg>element is returned in the AJAX response to prevent XSS attacks