Potential fix for code scanning alert no. 2: DOM text reinterpreted a…

…s HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
disposable · Feb 2, 2025 · 5320b20 · 5320b20
1 parent a55d9f9
commit 5320b20
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/assets/js/lookup.js b/assets/js/lookup.js
@@ -14,9 +14,18 @@ function isValidDomain(domain) {
     return domainRegex.test(domain);
 }
 
+function escapeHtml(unsafe) {
+    return unsafe
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#039;");
+}
+
 function showMessage(message, type) {
     const messageDiv = document.getElementById('result');
-    messageDiv.innerHTML = message;
+    messageDiv.innerHTML = escapeHtml(message);
     messageDiv.className = 'alert ' + type;
 }
 
@@ -90,7 +99,7 @@ document.getElementById('lookup-form').addEventListener('submit', function (even
         if (!data) {
             return;
         }
-        let msg = `<h1>Domain ${data.domain} ${data.strict ? 'is on <a href="https://github.com/disposable/disposable?tab=readme-ov-file#strict-mode" target="_blank">strict mode list</a>' : 'is listed'}!</h1><p><h2>Sources:</h2><ul>`;
+        let msg = `<h1>Domain ${escapeHtml(data.domain)} ${data.strict ? 'is on <a href="https://github.com/disposable/disposable?tab=readme-ov-file#strict-mode" target="_blank">strict mode list</a>' : 'is listed'}!</h1><p><h2>Sources:</h2><ul>`;
         for (let i = 0; i < data.src.length; i++) {
             const entry = data.src[i],
                 external = entry['ext'];