Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: change style.innerHTML to style.textContent #10801

Merged
merged 1 commit into from Nov 6, 2022
Merged

refactor: change style.innerHTML to style.textContent #10801

merged 1 commit into from Nov 6, 2022

Conversation

sapphi-red
Copy link
Member

Description

It seems innerHTML and textContent isn't different for style tags. If there isn't any difference, I think we should use textContent to reduce CSP requirements.

refs #10553

Additional context

What is the purpose of this pull request?

  • Bug fix
  • New Feature
  • Documentation update
  • Other

Before submitting the PR, please make sure you do the following

  • Read the Contributing Guidelines.
  • Read the Pull Request Guidelines and follow the Commit Convention.
  • Check that there isn't already a PR that solves the problem the same way to avoid creating a duplicate.
  • Provide a description in this PR that addresses what the PR is solving, or reference the issue that it solves (e.g. fixes #123).
  • Ideally, include relevant tests that fail without this PR but pass with it.

@sapphi-red sapphi-red added the p2-nice-to-have Not breaking anything but nice to have (priority) label Nov 6, 2022
@sapphi-red sapphi-red mentioned this pull request Nov 6, 2022
Closed
7 tasks
@patak-dev
Copy link
Member

/ecosystem-ci run

@vite-ecosystem-ci
Copy link

vite-ecosystem-ci bot commented Nov 6, 2022
edited

📝 Ran ecosystem CI: Open

suite result
astro ✅ success
histoire ✅ success
iles ✅ success
ladle ✅ success
laravel ✅ success
marko ✅ success
nuxt-framework ✅ success
rakkas ✅ success
svelte ✅ success
vite-plugin-ssr ✅ success
vite-setup-catalogue ✅ success
vitepress ✅ success
vitest ✅ success
windicss ✅ success

@patak-dev patak-dev merged commit 8ea71b4 into vitejs:main Nov 6, 2022
@sapphi-red sapphi-red deleted the refactor/change-style-innerhtml branch November 6, 2022 13:47
ghiscoding added a commit to ghiscoding/autocomplete that referenced this pull request Nov 7, 2023
@ghiscoding
fix: change .innerHTML to .textContent for CSP compliance
cff0b6d 
I think we should use `textContent` to reduce CSP (Content  Security Policy) requirements. If we add CSP `require-trusted-types-for 'script'`, then it blocks `innerHTML` unless it's `TrustedHTML`, however in the case of this lib's usage, we can simply replace the `innerHTML` with `textContent` which has the exact same effect and is more CSP compliant

For reference, you can see this [PR](vitejs/vite#10801) on the Vite project, they've done the exact same code change.
@ghiscoding ghiscoding mentioned this pull request Nov 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patak-dev patak-dev patak-dev approved these changes

Assignees
No one assigned
Labels
p2-nice-to-have Not breaking anything but nice to have (priority)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sapphi-red @patak-dev