Fix XSS in New File dialog.

Commit replaces call to innerHTML with a call to innerText to ensure
user supplied text will not create elements in the DOM. An alternative
to this approach would be to sanitize user input before adding it to the
DOM.

Signed-off-by: Casey Flynn <caseyflynn@google.com>

packages/core/src/browser/dialogs.ts

@@ -305,7 +305,7 @@ export abstract class AbstractDialog<T> extends BaseWidget {
         if (this.acceptButton) {
             this.acceptButton.disabled = !DialogError.getResult(error);
         }
-        this.errorMessageNode.innerHTML = DialogError.getMessage(error);
+        this.errorMessageNode.innerText = DialogError.getMessage(error);
     }
 
     protected addCloseAction<K extends keyof HTMLElementEventMap>(element: HTMLElement, ...additionalEventTypes: K[]): void {

packages/workspace/src/browser/workspace-commands.ts

@@ -349,12 +349,12 @@ export class WorkspaceCommandContribution implements CommandContribution {
         }
         // check and validate each sub-paths
         if (name.split(/[\\/]/).some(file => !file || !validFilename(file) || /^\s+$/.test(file))) {
-            return `The name <strong>${this.trimFileName(name)}</strong> is not a valid file or folder name.`;
+            return `The name "${this.trimFileName(name)}" is not a valid file or folder name.`;
         }
         const childUri = new URI(parent.uri).resolve(name).toString();
         const exists = await this.fileSystem.exists(childUri);
         if (exists) {
-            return `A file or folder <strong>${this.trimFileName(name)}</strong> already exists at this location.`;
+            return `A file or folder "${this.trimFileName(name)}" already exists at this location.`;
         }
         return '';
     }