From 3a657ed46a25dadfbb5e0ecc98b89d41db36dee4 Mon Sep 17 00:00:00 2001
From: Pascal Hartig <phartig@rdrei.net>
Date: Mon, 6 Aug 2018 05:35:51 -0700
Subject: [PATCH] Use textContent for showing dev error message (#199)

Summary:
`innerHTML` seems unnecessarily dangerous, rendering unescaped content from the network in an execution context. It can also raise exceptions if the HTML received is invalid, so let's not do this?
Pull Request resolved: https://github.com/facebook/flipper/pull/199

Reviewed By: danielbuechele

Differential Revision: D9179150

Pulled By: passy

fbshipit-source-id: 911b2686150be73c8e9e42b94b2a96da62fd6ae7
---
 static/index.dev.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/static/index.dev.html b/static/index.dev.html
index 4d3c64525..10221aaf9 100644
--- a/static/index.dev.html
+++ b/static/index.dev.html
@@ -75,14 +75,14 @@
           suppressErrors = true;
         });
 
-        function openError(html) {
+        function openError(text) {
           if (suppressErrors) {
             return;
           }
 
           const box = document.querySelector('.__infinity-dev-box-error');
           box.removeAttribute('hidden');
-          box.innerHTML = html;
+          box.textContent = text;
           onLoad();
         }