fix xss issue

2020-07-15 11:36:33 +02:00
parent 9e154fd36e
commit e5a6039706
1 changed files with 4 additions and 3 deletions
--- a/packages/core/src/utils/elementFromString.ts
+++ b/packages/core/src/utils/elementFromString.ts
@@ -1,6 +1,7 @@
-export default function elementFromString(value: string): HTMLDivElement {
-  const element = document.createElement('div')
-  element.innerHTML = value.trim()
+export default function elementFromString(value: string): HTMLElement {
+  const htmlString = `<div>${value}</div>`
+  const parser = new window.DOMParser
+  const element = parser.parseFromString(htmlString, 'text/html').body

  return element
 }