From fd1e854778bf61276971f3747b89b3d2ad646f1e Mon Sep 17 00:00:00 2001
From: Anthony Stirling <77850077+Frooodle@users.noreply.github.com>
Date: Thu, 8 May 2025 18:19:55 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 224: DOM text
 reinterpreted as HTML (#3499)

Potential fix for
[https://github.com/Stirling-Tools/Stirling-PDF/security/code-scanning/224](https://github.com/Stirling-Tools/Stirling-PDF/security/code-scanning/224)

To fix the issue, we should avoid assigning untrusted data directly to
`innerHTML`. Instead, we can use `textContent`, which safely sets the
text content of an element without interpreting it as HTML. This ensures
that any special characters in the `data-title` attribute are treated as
plain text, preventing XSS attacks.

The fix involves replacing `tabButton.innerHTML = title;` on line 12
with `tabButton.textContent = title;`. This change ensures that the
`title` is safely rendered as text.

---


_Suggested fixes powered by Copilot Autofix. Review carefully before
merging._

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/main/resources/static/js/tab-container.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/resources/static/js/tab-container.js b/src/main/resources/static/js/tab-container.js
index b85334c3c..afc441934 100644
--- a/src/main/resources/static/js/tab-container.js
+++ b/src/main/resources/static/js/tab-container.js
@@ -9,7 +9,7 @@ TabContainer = {
       tabList.classList.add('tab-buttons');
       tabTitles.forEach((title) => {
         const tabButton = document.createElement('button');
-        tabButton.innerHTML = title;
+        tabButton.textContent = title;
         tabButton.onclick = (e) => {
           this.setActiveTab(e.target);
         };