mik-laj commented on a change in pull request #5952: [AIRFLOW-5348] Escape
chart Label when set via JS
URL: https://github.com/apache/airflow/pull/5952#discussion_r319263380
##########
File path: airflow/www/templates/airflow/nvd3.html
##########
@@ -162,7 +162,7 @@ <h4 class="panel-title">
$('#chart_body').html('<div class="alert alert-danger">' +
payload.error + '</div>');
}
$("#sql_panel_body").html(payload.sql_html);
- $("#label").html(payload.label);
+ $("#label").html(escapeHTML(payload.label));
Review comment:
This is the current implementation of the escapeHtml function
```
var el = document.createElement("span");
export function escapeHtml(text) {
el.textContent = text;
return el.innerHTML;
}
```
``$("#label").html(content)`` is a equivalent of
``document.querySelector("#label").innerHTML = content``
``$("#label").text(content)`` is a equivalent of
``document.querySelector("#label").textContent = content``
Setting textContent is secure and does not cause security problems.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
