From d18d800947c7b45d7ebb674d325836d4ae91c326 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jason=20K=C3=B6lker?= <jason@koelker.net>
Date: Sat, 10 Jun 2023 23:39:48 +0000
Subject: [PATCH] fix(settings): mitigate xss

Mitigate XSS on wifi scanning from injecting arbitrary code by using
`textConent` instead of `innerHTML`.

Partially Fixes #3233
---
 wled00/data/settings_wifi.htm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/wled00/data/settings_wifi.htm b/wled00/data/settings_wifi.htm
index 96971fead..4e96d954e 100644
--- a/wled00/data/settings_wifi.htm
+++ b/wled00/data/settings_wifi.htm
@@ -19,7 +19,7 @@
 
 			const button = gId("scan");
 			button.disabled = true;
-			button.innerHTML = "Scanning...";
+			button.textContent = "Scanning...";
 
 			fetch(url).then((response) => {
 				return response.json();
@@ -70,7 +70,7 @@
 						const option = cE("option");
 
 						option.setAttribute("value", networks[i].ssid);
-						option.innerHTML = `${networks[i].ssid} (${networks[i].rssi} dBm)`;
+						option.textContent = `${networks[i].ssid} (${networks[i].rssi} dBm)`;
 
 						if (networks[i].ssid === cs.value) {
 							option.setAttribute("selected", "selected");
@@ -81,14 +81,14 @@
 					const option = cE("option");
 
 					option.setAttribute("value", "!Cs");
-					option.innerHTML = `Other network...`;
+					option.textContent = `Other network...`;
 					select.appendChild(option);
 
 					cs.replaceWith(select);
 				}
 
 				button.disabled = false;
-				button.innerHTML = "Scan";
+				button.textContent = "Scan";
 			});
 		}
 		// replace WiFi select with custom SSID input field again