Set comment textConent instead of innerHTML to avoid self xss (#882)

2026-06-10 02:01:03 +08:00 · 2026-02-28 00:22:55 +04:00
parent 0abcf99d2c
commit 32c130cf00
1 changed files with 1 additions and 1 deletions
@@ -72,7 +72,7 @@ export function getCommentHeight(comment, containerWidth, showComments = true) {
  span.className = "absolute text-xs px-3 line-clamp-5";

  span.style.width = containerWidth - borders + "px";
-  span.innerHTML = comment;
+  span.textContent = comment;
  span.id = "temp-comment-measure";

  document.body.appendChild(span);