On Thu, Dec 3, 2020 at 2:38 PM Tristan Cacqueray <tdecacqu@redhat.com> wrote:
On Thu, Dec 03, 2020 at 10:22 Radosław Piliszek wrote:
Hello Fellow OpenStack and OpenDev Folks!
TL;DR click on [3] and enjoy.
Hello
It seems like this script is injecting build details directly using the innerHTML attribute without filtering html entities, please see the `Security considerations` section of
https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML
Yes, it is a generally valid remark but I consider both Gerrit and Zuul (both of OpenDev) to have the exact same level of trust so did not modify the approach. But yes, for anyone trying to learn best practices from this snippet - please do not, it is far from them. :-) In general this approach is very wasteful as it causes rebuilding (or rather rejoining) and reparsing of html, instead of DOM manipulations. For such a simple table it does not hurt but please do not do it at home. -yoctozepto