From e5a6039706fa4cdb7263afbb105446779c0714e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philipp=20Ku=CC=88hn?= <kontakt@philipp-kuehn.com>
Date: Wed, 15 Jul 2020 11:36:33 +0200
Subject: [PATCH] fix xss issue

---
 packages/core/src/utils/elementFromString.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/packages/core/src/utils/elementFromString.ts b/packages/core/src/utils/elementFromString.ts
index 02058c71..14c7055e 100644
--- a/packages/core/src/utils/elementFromString.ts
+++ b/packages/core/src/utils/elementFromString.ts
@@ -1,6 +1,7 @@
-export default function elementFromString(value: string): HTMLDivElement {
-  const element = document.createElement('div')
-  element.innerHTML = value.trim()
+export default function elementFromString(value: string): HTMLElement {
+  const htmlString = `<div>${value}</div>`
+  const parser = new window.DOMParser
+  const element = parser.parseFromString(htmlString, 'text/html').body
 
   return element
 }
\ No newline at end of file