From d947f453611f6497574aefb60288a2cb15e38ca7 Mon Sep 17 00:00:00 2001 From: LukeWood Date: Mon, 17 Aug 2020 10:12:27 -0700 Subject: [PATCH] Convert stylesheet.innerHTML to stylesheet.innerText Browsers will interpret this the same but this protects against attacks such as: Change-Id: I34062ad3562a1791ec4ea5a404acf8f459cdcef9 https: //www.netsparker.com/blog/web-security/private-data-stolen-exploiting-css-injection/ Signed-off-by: LukeWood --- .../plugin-ext/src/main/browser/plugin-icon-theme-service.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/plugin-ext/src/main/browser/plugin-icon-theme-service.ts b/packages/plugin-ext/src/main/browser/plugin-icon-theme-service.ts index 25c509d0f5c60..bce47cbfefd7a 100644 --- a/packages/plugin-ext/src/main/browser/plugin-icon-theme-service.ts +++ b/packages/plugin-ext/src/main/browser/plugin-icon-theme-service.ts @@ -160,7 +160,7 @@ export class PluginIconTheme extends PluginIconThemeDefinition implements IconTh const styleElement = document.createElement('style'); styleElement.type = 'text/css'; styleElement.className = 'theia-icon-theme'; - styleElement.innerHTML = this.styleSheetContent; + styleElement.innerText = this.styleSheetContent; document.head.appendChild(styleElement); const toRemoveStyleElement = Disposable.create(() => styleElement.remove()); this.toDisposeStyleElement.push(toRemoveStyleElement);