Be more explicit about setting innerHTML

2025-07-08 02:34:06 -04:00 · 2017-05-15 19:49:34 +05:30 · 2017-05-15 19:49:34 +05:30 · a50a2c7cca
commit a50a2c7cca
parent 7a4ddafb9b
7 changed files with 21 additions and 17 deletions
--- a/src/pyj/book_list/book_details.pyj
+++ b/src/pyj/book_list/book_details.pyj
@ -12,7 +12,7 @@ from modals import error_dialog, create_custom_dialog
 from widgets import create_spinner, create_button
 from date import format_date
 from session import get_interface_data
-from utils import fmt_sidx, parse_url_params, conditional_timeout, simple_markup
+from utils import fmt_sidx, parse_url_params, conditional_timeout, safe_set_inner_html

 from book_list.router import back, open_book, home
 from book_list.library_data import book_metadata, cover_url, set_book_metadata, current_library_id, library_data, download_url, load_status, current_virtual_library
@ -387,7 +387,7 @@ def metadata_fetched(container_id, book_id, end_type, xhr, event):
            _('Could not fetch metadata for book'),
            E.div(style='margin: 1ex 1em')
        ))
-        c.lastChild.lastChild.innerHTML = simple_markup(xhr.error_html)
+        safe_set_inner_html(c.lastChild.lastChild, xhr.error_html)

 def fetch_metadata(container_id, book_id):
    nonlocal current_fetch
@ -432,7 +432,7 @@ def check_for_books_loaded():
    clear(container)
    if not load_status.ok:
        err = E.div()
-        err.innerHTML = simple_markup(load_status.error_html)
+        safe_set_inner_html(err, load_status.error_html)
        container.appendChild(E.div(
            style='margin: 1ex 1em',
            E.div(_('Failed to load books from calibre library, with error:')),
--- a/src/pyj/book_list/main.pyj
+++ b/src/pyj/book_list/main.pyj
@ -10,7 +10,7 @@ from modals import create_modal_container, error_dialog
 from session import get_interface_data, UserSessionData, update_interface_data, get_translations
 from gettext import gettext as _, install
 from popups import install_event_filters
-from utils import simple_markup
+from utils import safe_set_inner_html

 from book_list.constants import book_list_container_id, read_book_container_id
 from book_list.library_data import fetch_init_data, update_library_data, url_books_query
@ -91,7 +91,7 @@ def on_data_loaded(end_type, xhr, ev):
            msg = _('You are not authorized to view this site')
        else:
            msg = xhr.error_html
-        p.innerHTML = simple_markup(msg)
+        safe_set_inner_html(p, msg)
        document.body.appendChild(p)


--- a/src/pyj/book_list/search.pyj
+++ b/src/pyj/book_list/search.pyj
@ -9,7 +9,7 @@ from elementmaker import E
 from gettext import gettext as _
 from widgets import create_button, create_spinner, Breadcrumbs
 from modals import show_modal
-from utils import rating_to_stars
+from utils import rating_to_stars, safe_set_inner_html
 from session import get_interface_data

 from book_list.library_data import library_data, current_library_id, current_virtual_library
@ -328,7 +328,7 @@ def on_data_fetched(end_type, xhr, ev):
    def show_error(error_html):
        ediv = E.div()
        container.appendChild(ediv)
-        ediv.innerHTML = '<h3>' + _('Failed to load Tag browser data') + '</h3>' + error_html
+        safe_set_inner_html(ediv, '<h3>' + _('Failed to load Tag browser data') + '</h3>' + error_html)

    def process_node(node, item_map):
        state.node_id_map[node.id] = node
--- a/src/pyj/book_list/views.pyj
+++ b/src/pyj/book_list/views.pyj
@ -32,7 +32,7 @@ from book_list.ui import set_panel_handler, show_panel
 from dom import add_extra_css, build_rule, clear, ensure_id, set_css
 from modals import error_dialog
 from session import get_interface_data
-from utils import conditional_timeout, parse_url_params, simple_markup
+from utils import conditional_timeout, parse_url_params, safe_set_inner_html
 from widgets import create_button, create_spinner

 CLASS_NAME = 'book-list-container'
@ -272,7 +272,7 @@ def check_for_books_loaded():
    clear(container)
    if not load_status.ok:
        err = E.div()
-        err.innerHTML = simple_markup(load_status.error_html)
+        safe_set_inner_html(err, load_status.error_html)
        container.appendChild(E.div(
            style='margin: 1ex 1em',
            E.div(_('Failed to load books from calibre library, with error:')),
--- a/src/pyj/modals.pyj
+++ b/src/pyj/modals.pyj
@ -9,7 +9,7 @@ from ajax import ajax, ajax_send
 from book_list.theme import get_color, get_font_size
 from dom import add_extra_css, build_rule, clear, set_css, svgicon
 from popups import MODAL_Z_INDEX
-from utils import simple_markup
+from utils import safe_set_inner_html

 modal_container = None
 modal_count = 0
@ -147,10 +147,10 @@ def create_simple_dialog(title, msg, details, icon, prefix):
        is_html_msg = /<[a-zA-Z]/.test(msg)
        html_container = E.div()
        if is_html_msg:
-            html_container.innerHTML = simple_markup(msg)
+            safe_set_inner_html(html_container, msg)
        details_container = E.span()
        if /<[a-zA-Z]/.test(details):
-            details_container.innerHTML = simple_markup(details)
+            safe_set_inner_html(details_container, details)
        else:
            details_container.textContent = details
        parent.appendChild(
@ -195,7 +195,7 @@ def create_progress_dialog(msg, on_close):
    return {
        'close': def(): modal_container.hide_modal(modal_id);,
        'update_progress': def(amount, total): pbar.max, pbar.value = total, amount;,
-        'set_msg': def(new_msg): msg_div.innerHTML = simple_markup(new_msg);,
+        'set_msg': def(new_msg): safe_set_inner_html(msg_div, new_msg);,
    }

 # def test_progress():
--- a/src/pyj/read_book/overlay.pyj
+++ b/src/pyj/read_book/overlay.pyj
@ -11,7 +11,7 @@ from book_list.router import home
 from book_list.theme import get_color
 from dom import add_extra_css, build_rule, clear, set_css, svgicon, unique_id
 from modals import error_dialog
-from utils import full_screen_element, request_full_screen, simple_markup
+from utils import full_screen_element, request_full_screen, safe_set_inner_html
 from read_book.goto import create_goto_panel
 from read_book.prefs.font_size import create_font_size_panel
 from read_book.prefs.main import create_prefs_panel
@ -34,13 +34,13 @@ class LoadingMessage:  # {{{
                E.div(create_spinner('100px', '100px')),
                E.h2()
        ))
-        container.firstChild.lastChild.innerHTML = simple_markup(self.msg)
+        safe_set_inner_html(container.firstChild.lastChild, self.msg)
        set_css(container.firstChild, position='relative', top='50%', transform='translateY(-50%)')

    def set_msg(self, msg):
        self.msg = msg
        container = document.getElementById(self.container_id)
-        container.firstChild.lastChild.innerHTML = simple_markup(self.msg)
+        safe_set_inner_html(container.firstChild.lastChild, self.msg)

    def on_container_click(self, evt):
        pass  # Dont allow panel to be closed by a click
@ -79,7 +79,7 @@ class DeleteBook:  # {{{
                E.div(create_spinner('100px', '100px')),
                E.h2()
        ))
-        container.lastChild.lastChild.innerHTML = simple_markup(_('Deleting local book copy, please wait...'))
+        safe_set_inner_html(container.lastChild.lastChild, _('Deleting local book copy, please wait...'))

    def on_container_click(self, evt):
        pass  # Dont allow panel to be closed by a click
--- a/src/pyj/utils.pyj
+++ b/src/pyj/utils.pyj
@ -217,6 +217,10 @@ def simple_markup(html):
 simple_markup.allowed_tags = v"'b|i|br|h1|h2|h3|h4|h5|h6|div|em|strong|span'.split('|')"


+def safe_set_inner_html(elem, html):
+    elem.innerHTML = simple_markup(html)
+
+
 if __name__ is '__main__':
    from pythonize import strings
    strings()