On Tue, Jun 9, 2020 at 12:20 PM Sehrope Sarkuni <sehrope@jackdb.com> wrote:
I took a peek at the updated yum.js. There's a couple unused variables in the script generation and it doesn't escape the generated text before assigning it to the DOM node. Not an issue now as there's nothing that'd break it, but if it's ever updated to include a redirect ("<") or something else hokey it'd break.
How about the attached? It splits the script generation into its own function returning a string and has the archChanged() only handle updating the DOM. It uses jQuery .text(...) for the DOM update so that the contents are escaped.
I don't have the full site running locally but adding the new DOM node and copy / pasting in the browser to manipulate the live site with this code seems to work fine.
Thanks. The code has changed massively since the last patch (thanks to Magnus harassing me about more changes on IM). New patch to follow - I'll look to incorporate your tweaks.
