fix #6987 XSS vulnerability in browser sidebar

Change simply updates innerHtml to innerText to ensure user supplied content does not impact the dom. Signed-off-by: Casey Flynn <caseyflynn@google.com>
eclipse-theia · Jan 29, 2020 · a6d565e · a6d565e
1 parent 791b576
commit a6d565e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/packages/core/src/browser/shell/side-panel-toolbar.ts b/packages/core/src/browser/shell/side-panel-toolbar.ts
@@ -96,7 +96,7 @@ export class SidePanelToolbar extends BaseWidget {
     set toolbarTitle(title: Title<Widget> | undefined) {
         if (this.titleContainer && title) {
             this._toolbarTitle = title;
-            this.titleContainer.innerHTML = this._toolbarTitle.label;
+            this.titleContainer.innerText = this._toolbarTitle.label;
             this.titleContainer.title = this._toolbarTitle.caption || this._toolbarTitle.label;
             this.update();
         }