Remove innerHTML set in autocomplete

XMLWordPrintableJSON

    • Type: Task
    • Resolution: Won't Fix
    • Priority: Major - P3
    • No version
    • Affects Version/s: 1.49.4
    • Component/s: None
    • 2
    • Not Needed
    • Developer Tools

      We currently use innerHTML = ... in the autocompletion code mirror `description`:

      https://github.com/mongodb-js/compass/blob/2697ef31ff31470e0ef107ed2ef33ffda4a219e4/packages/compass-editor/src/codemirror/utils.ts#L187 

      While we only use it for our own content from mongodb-constants currently, it is a possible cross site scripting XSS avenue.

      We use this to show a link in the autocomplete: https://github.com/mongodb-js/compass/blob/2697ef31ff31470e0ef107ed2ef33ffda4a219e4/packages/compass-editor/src/codemirror/stage-autocompleter.ts#L45 

      Instead we should build the link element explicitly in an intentional node and use only innerText. 

            Assignee:
            Rhys Howell
            Reporter:
            Rhys Howell
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: