From 89ab00a4a11d8101ea64350162d0f6b0e16000d6 Mon Sep 17 00:00:00 2001
From: Michael Wang <michael19920327@gmail.com>
Date: Fri, 15 Dec 2023 13:59:27 +0800
Subject: [PATCH] fix: use `setAttribute` instead of `innerHTML` to prevent xss

---
 js/controllers/slidecontent.js | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/js/controllers/slidecontent.js b/js/controllers/slidecontent.js
index 3a726b76e22..5333c7fe499 100644
--- a/js/controllers/slidecontent.js
+++ b/js/controllers/slidecontent.js
@@ -142,13 +142,15 @@ export default class SlideContent {
 
 					// Support comma separated lists of video sources
 					backgroundVideo.split( ',' ).forEach( source => {
+						const sourceElement = document.createElement( 'source' );
+						sourceElement.setAttribute( 'src', source );
+
 						let type = getMimeTypeFromFile( source );
 						if( type ) {
-							video.innerHTML += `<source src="${source}" type="${type}">`;
-						}
-						else {
-							video.innerHTML += `<source src="${source}">`;
+							sourceElement.setAttribute( 'type', type );
 						}
+
+						video.appendChild( sourceElement );
 					} );
 
 					backgroundContent.appendChild( video );