Add XSS note to themes.js.

elastic · Dec 8, 2017 · d54538f · d54538f
1 parent 3b736d2
commit d54538f
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/ui/public/theme/theme.js b/src/ui/public/theme/theme.js
@@ -7,6 +7,10 @@ export function registerTheme(theme, styles) {
 
 export function applyTheme(newTheme) {
   currentTheme = newTheme;
+
+  // NOTE: The use of innerHTML opens up to XSS attacks, so we can't support user-generated themes
+  // as long as this implementation is in use. Ideally we would use the webpack style-loader/useable
+  // to activate and deactivate themes, but that causes the optimize step to fail.
   document.getElementById('themeCss').innerHTML = themes[currentTheme];
 }