From a301bf8bf5acb5fde1158fca4bc877dad19e5197 Mon Sep 17 00:00:00 2001
From: Nick O'Leary <nick.oleary@gmail.com>
Date: Wed, 6 Feb 2019 22:25:25 +0000
Subject: [PATCH] Fix XSS issues in library ui code

---
 .../@node-red/editor-client/src/js/ui/library.js    | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/packages/node_modules/@node-red/editor-client/src/js/ui/library.js b/packages/node_modules/@node-red/editor-client/src/js/ui/library.js
index 2f7559411..d8d35b564 100644
--- a/packages/node_modules/@node-red/editor-client/src/js/ui/library.js
+++ b/packages/node_modules/@node-red/editor-client/src/js/ui/library.js
@@ -45,7 +45,7 @@ RED.library = (function() {
                             a = document.createElement("a");
                             a.href="#";
                             var label = i.replace(/^@.*\//,"").replace(/^node-red-contrib-/,"").replace(/^node-red-node-/,"").replace(/-/," ").replace(/_/," ");
-                            a.innerHTML = label;
+                            a.innerText = label;
                             li.appendChild(a);
                             li.appendChild(buildMenu(data.d[i],root+(root!==""?"/":"")+i));
                             ul.appendChild(li);
@@ -58,7 +58,7 @@ RED.library = (function() {
                             li = document.createElement("li");
                             a = document.createElement("a");
                             a.href="#";
-                            a.innerHTML = data.f[i];
+                            a.innerText = data.f[i];
                             a.flowName = root+(root!==""?"/":"")+data.f[i];
                             a.onclick = function() {
                                 $.get('library/flows/'+this.flowName, function(data) {
@@ -125,8 +125,8 @@ RED.library = (function() {
                     li.onclick = (function () {
                         var dirName = v;
                         return function(e) {
-                            var bcli = $('<li class="active"><span class="divider">/</span> <a href="#">'+dirName+'</a></li>');
-                            $("a",bcli).click(function(e) {
+                            var bcli = $('<li class="active"><span class="divider">/</span> </li>');
+                            $('<a href="#"></a>').text(dirName).appendTo(bcli).click(function(e) {
                                 $(this).parent().nextAll().remove();
                                 $.getJSON("library/"+options.url+root+dirName,function(data) {
                                     $("#node-select-library").children().first().replaceWith(buildFileList(root+dirName+"/",data));
@@ -141,12 +141,13 @@ RED.library = (function() {
                             });
                         }
                     })();
-                    li.innerHTML = '<i class="fa fa-folder"></i> '+v+"</i>";
+                    $('<i class="fa fa-folder"></i>').appendTo(li);
+                    $('<span>').text(" "+v).appendTo(li);
                     ul.appendChild(li);
                 } else {
                     // file
                     li = buildFileListItem(v);
-                    li.innerHTML = v.name;
+                    li.innerText = v.name;
                     li.onclick = (function() {
                         var item = v;
                         return function(e) {