diff --git a/src/ui/public/theme/theme.js b/src/ui/public/theme/theme.js index 4d4317441ffa4..b6393aea68561 100644 --- a/src/ui/public/theme/theme.js +++ b/src/ui/public/theme/theme.js @@ -7,6 +7,10 @@ export function registerTheme(theme, styles) { export function applyTheme(newTheme) { currentTheme = newTheme; + + // NOTE: The use of innerHTML opens up to XSS attacks, so we can't support user-generated themes + // as long as this implementation is in use. Ideally we would use the webpack style-loader/useable + // to activate and deactivate themes, but that causes the optimize step to fail. document.getElementById('themeCss').innerHTML = themes[currentTheme]; }