From 41281f45c5a53e2827fea76767ae19c3a8d34fa6 Mon Sep 17 00:00:00 2001
From: Casey Flynn <caseyflynn@google.com>
Date: Tue, 28 Jan 2020 10:53:12 -0800
Subject: [PATCH] fix #6987 XSS vulnerability in browser sidebar

Change simply updates innerHtml to innerText to ensure user supplied
content does not impact the dom.

Signed-off-by: Casey Flynn <caseyflynn@google.com>
---
 packages/core/src/browser/shell/side-panel-toolbar.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/core/src/browser/shell/side-panel-toolbar.ts b/packages/core/src/browser/shell/side-panel-toolbar.ts
index badb71cb5f0d0..5f076998c2dfc 100644
--- a/packages/core/src/browser/shell/side-panel-toolbar.ts
+++ b/packages/core/src/browser/shell/side-panel-toolbar.ts
@@ -96,7 +96,7 @@ export class SidePanelToolbar extends BaseWidget {
     set toolbarTitle(title: Title<Widget> | undefined) {
         if (this.titleContainer && title) {
             this._toolbarTitle = title;
-            this.titleContainer.innerHTML = this._toolbarTitle.label;
+            this.titleContainer.innerText = this._toolbarTitle.label;
             this.titleContainer.title = this._toolbarTitle.caption || this._toolbarTitle.label;
             this.update();
         }