Closed mhansen closed 3 years ago
This commit series makes loading untrusted profiles safer, by not executing their contents as HTML on mouseover.
And it also updates the search handler, which had a safe default, but encouraged users in the README to use .innerHTML, which is less safe.
.innerHTML
I had to look up whether to use .innerText or .textContent.
.innerText
.textContent
I used .textContent here as that's what d3.text uses: https://github.com/d3/d3-selection/blob/464cb9a0af622375fee526ebbb66f709d5d92a2b/src/selection/text.js#L7, and that seemed like a good precedent.
d3.text
LGTM
spiermar
commented
3 years ago spiermar
commented
3 years ago
This commit series makes loading untrusted profiles safer, by not executing their contents as HTML on mouseover.
And it also updates the search handler, which had a safe default, but encouraged users in the README to use
.innerHTML, which is less safe.I had to look up whether to use
.innerTextor.textContent.I used
.textContenthere as that's whatd3.textuses: https://github.com/d3/d3-selection/blob/464cb9a0af622375fee526ebbb66f709d5d92a2b/src/selection/text.js#L7, and that seemed like a good precedent.