Unnecessary use of innerHTML

[ManuGowda]

Expected behavior

Modify the code to use .innerText instead of .innerHTML . This will accomplish the same without the risk of XSS.

Review every other HTML sink, and, where they are really necessary, add a comment explaining why, and why unsanitized attacker input cannot reach it.

Actual behavior

The code unnecessarily uses the .innerHTML function to append simple text to the DOM, as shown in figure 59.1. This function allows users to modify the HTML of an element; however, in this case, this is unnecessary because the data-name attribute of icon elements is always simple text without HTML tags. Using .innerText is sufficient.

Steps to reproduce

lisk-desktop/setup/react/assets/fonts/iconfont/icons.html

Lines 497 to 506 in 8238f41

	<script>
	(function () {
	document.getElementById('icons').onclick = function (e) {
	e = e || window.event;
	var name =
	e.target.getAttribute('data-name') || e.target.parentNode.getAttribute('data-name');
	document.getElementById('name').innerHTML = name;
	};
	})();
	</script>

Reference

https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/innerText
https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML