Merge pull request #780 from alphagov/fix-html-injection-ajax-example

romaricpascal · web-flow · commit fb3e243ac15a · 2025-12-15T13:46:49.000Z
diff --git a/examples/ajax-source.html b/examples/ajax-source.html
@@ -292,8 +292,7 @@ <h1>Accessible Autocomplete AJAX source example</h1>
         var submittedEl = document.querySelector('.submitted')
         submittedEl.classList.remove('submitted--hidden')
         var params = new URLSearchParams(document.location.search.split('?')[1])
-        document.querySelector('.submitted__last-location').innerHTML = params.get('last-location')
-        document.querySelector('.submitted__passport-location').innerHTML = params.get('passport-location')
+        document.querySelector('.submitted__last-location').textContent = params.get('last-location')
       }
     </script>
   </body>
diff --git a/examples/form-single.html b/examples/form-single.html
@@ -374,7 +374,7 @@ <h1>Accessible Autocomplete single field form example</h1>
         var submittedEl = document.querySelector('.submitted')
         submittedEl.classList.remove('submitted--hidden')
         var params = new URLSearchParams(document.location.search.split('?')[1])
-        document.querySelector('.submitted__last-location').innerHTML = params.get('last-location')
+        document.querySelector('.submitted__last-location').textContent = params.get('last-location')
       }
     </script>
   </body>
diff --git a/examples/form.html b/examples/form.html
@@ -665,8 +665,8 @@ <h1>Accessible Autocomplete form example</h1>
         var submittedEl = document.querySelector('.submitted')
         submittedEl.classList.remove('submitted--hidden')
         var params = new URLSearchParams(document.location.search.split('?')[1])
-        document.querySelector('.submitted__last-location').innerHTML = params.get('last-location')
-        document.querySelector('.submitted__passport-location').innerHTML = params.get('passport-location')
+        document.querySelector('.submitted__last-location').textContent = params.get('last-location')
+        document.querySelector('.submitted__passport-location').textContent = params.get('passport-location')
       }
     </script>
   </body>

Original file line number	Diff line number	Diff line change
`@@ -374,7 +374,7 @@ <h1>Accessible Autocomplete single field form example</h1>`
`374`	`374`	`var submittedEl = document.querySelector('.submitted')`
`375`	`375`	`submittedEl.classList.remove('submitted--hidden')`
`376`	`376`	`var params = new URLSearchParams(document.location.search.split('?')[1])`
`377`		`- document.querySelector('.submitted__last-location').innerHTML = params.get('last-location')`
	`377`	`+ document.querySelector('.submitted__last-location').textContent = params.get('last-location')`
`378`	`378`	`}`
`379`	`379`	`</script>`
`380`	`380`	`</body>`