From 6048299a138e078aed210f163111698c8c526a13 Mon Sep 17 00:00:00 2001
From: Solly Ross <sross@redhat.com>
Date: Thu, 12 Jan 2017 11:43:35 -0500
Subject: [PATCH] Use textContent instead of innerHTML

Previously, setting `innerHTML` was used to display the statuses.  These
could include content communicated from the remote VNC server, allowing
the remove VNC server to inject HTML into the noVNC page.

This commit switches all uses of `innerHTML` to use `textContent`, which
is not vulnerable to the HTML injection.
---
 app/ui.js               |  8 ++++----
 tests/input.html        |  2 +-
 tests/vnc_perf.html     |  4 ++--
 tests/vnc_playback.html |  4 ++--
 vnc_auto.html           | 10 +++++++---
 5 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/app/ui.js b/app/ui.js
index 0e789c0..8056078 100644
--- a/app/ui.js
+++ b/app/ui.js
@@ -48,7 +48,7 @@ var UI;
 
             document.getElementById('noVNC_fallback_error')
                 .classList.add("noVNC_open");
-            document.getElementById('noVNC_fallback_errormsg').innerHTML = msg;
+            document.getElementById('noVNC_fallback_errormsg').textContent = msg;
         } catch (exc) {
             document.write("noVNC encountered an error.");
         }
@@ -416,7 +416,7 @@ var UI;
 
             switch (state) {
                 case 'connecting':
-                    document.getElementById("noVNC_transition_text").innerHTML = _("Connecting...");
+                    document.getElementById("noVNC_transition_text").textContent = _("Connecting...");
                     document.documentElement.classList.add("noVNC_connecting");
                     break;
                 case 'connected':
@@ -431,7 +431,7 @@ var UI;
                     break;
                 case 'disconnecting':
                     UI.connected = false;
-                    document.getElementById("noVNC_transition_text").innerHTML = _("Disconnecting...");
+                    document.getElementById("noVNC_transition_text").textContent = _("Disconnecting...");
                     document.documentElement.classList.add("noVNC_disconnecting");
                     break;
                 case 'disconnected':
@@ -531,7 +531,7 @@ var UI;
                     break;
             }
 
-            statusElem.innerHTML = text;
+            statusElem.textContent = text;
             statusElem.classList.add("noVNC_open");
 
             // If no time was specified, show the status for 1.5 seconds
diff --git a/tests/input.html b/tests/input.html
index 437d6f3..0938a4a 100644
--- a/tests/input.html
+++ b/tests/input.html
@@ -45,7 +45,7 @@
         function message(str) {
             console.log(str);
             cell = document.getElementById('messages');
-            cell.innerHTML += msg_cnt + ": " + str + newline;
+            cell.textContent += msg_cnt + ": " + str + newline;
             cell.scrollTop = cell.scrollHeight;
             msg_cnt++;
         }
diff --git a/tests/vnc_perf.html b/tests/vnc_perf.html
index c3e6a11..ce97ca4 100644
--- a/tests/vnc_perf.html
+++ b/tests/vnc_perf.html
@@ -65,7 +65,7 @@
         function msg(str) {
             console.log(str);
             var cell = document.getElementById('messages');
-            cell.innerHTML += str + "\n";
+            cell.textContent += str + "\n";
             cell.scrollTop = cell.scrollHeight;
         }
         function dbgmsg(str) {
@@ -85,7 +85,7 @@
         }
 
         notification = function (rfb, mesg, level, options) {
-            document.getElementById('VNC_status').innerHTML = mesg;
+            document.getElementById('VNC_status').textContent = mesg;
         }
 
         function do_test() {
diff --git a/tests/vnc_playback.html b/tests/vnc_playback.html
index 510ad06..65b735e 100644
--- a/tests/vnc_playback.html
+++ b/tests/vnc_playback.html
@@ -49,7 +49,7 @@
         function message(str) {
             console.log(str);
             var cell = document.getElementById('messages');
-            cell.innerHTML += str + "\n";
+            cell.textContent += str + "\n";
             cell.scrollTop = cell.scrollHeight;
         }
 
@@ -76,7 +76,7 @@
         }
 
         notification = function (rfb, mesg, level, options) {
-            document.getElementById('VNC_status').innerHTML = mesg;
+            document.getElementById('VNC_status').textContent = mesg;
         }
 
         function start() {
diff --git a/vnc_auto.html b/vnc_auto.html
index e86ae5d..e4fc467 100644
--- a/vnc_auto.html
+++ b/vnc_auto.html
@@ -111,10 +111,14 @@
             var html;
             html = '<form onsubmit="return setPassword();"';
             html += '  style="margin-bottom: 0px">';
-            html += msg;
+            html += '<label></label>'
             html += '<input type=password size=10 id="password_input" class="noVNC_status">';
             html += '<\/form>';
-            status(html, "warn");
+
+            // bypass status() because it sets text content
+            document.getElementById('noVNC_status_bar').setAttribute("class", "noVNC_status_warn");
+            document.getElementById('noVNC_status').innerHTML = html;
+            document.getElementById('noVNC_status').querySelector('label').textContent = msg;
         }
         function setPassword() {
             rfb.sendPassword(document.getElementById('password_input').value);
@@ -146,7 +150,7 @@
                     level = "warn";
             }
             document.getElementById('noVNC_status_bar').setAttribute("class", "noVNC_status_" + level);
-            document.getElementById('noVNC_status').innerHTML = text;
+            document.getElementById('noVNC_status').textContent = text;
         }
         function updateState(rfb, state, oldstate) {
             var cad = document.getElementById('sendCtrlAltDelButton');