From cc52811cd0a8178d2f33cdb1db7cbac818229c1b Mon Sep 17 00:00:00 2001
From: Richard Hansen <rhansen@rhansen.org>
Date: Sun, 7 Feb 2021 20:52:28 -0500
Subject: [PATCH] pad_impexp: Use jQuery to build the import failure popup

This reduces the chances of accidentally introducing an XSS
vulnerability.
---
 src/static/js/pad_impexp.js | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/static/js/pad_impexp.js b/src/static/js/pad_impexp.js
index e05b97a54..ea93de7c9 100644
--- a/src/static/js/pad_impexp.js
+++ b/src/static/js/pad_impexp.js
@@ -84,9 +84,12 @@ const padimpexp = (() => {
     const msg = html10n.get(`pad.impexp.${known.indexOf(status) !== -1 ? status : 'copypaste'}`);
 
     const showError = (fade) => {
-      $('#importmessagefail').html(
-          `<strong style="color: red">${html10n.get('pad.impexp.importfailed')}:</strong> ` +
-          `${msg}`)[(fade ? 'fadeIn' : 'show')]();
+      const popup = $('#importmessagefail').empty()
+          .append($('<strong>')
+              .css('color', 'red')
+              .text(`${html10n.get('pad.impexp.importfailed')}: `))
+          .append(document.createTextNode(msg));
+      popup[(fade ? 'fadeIn' : 'show')]();
     };
 
     if ($('#importexport .importmessage').is(':visible')) {