From cad7debc5be6054a06e8e168b7e6b6fa0df0832d Mon Sep 17 00:00:00 2001
From: ubertao <ubertao@qq.com>
Date: Thu, 20 Sep 2018 08:49:17 +0800
Subject: [PATCH] Replace innerHTML() with createElement() and appendChild()
 for security.

---
 modules/default/compliments/compliments.js | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/modules/default/compliments/compliments.js b/modules/default/compliments/compliments.js
index af3d6e34..43ef0e9e 100644
--- a/modules/default/compliments/compliments.js
+++ b/modules/default/compliments/compliments.js
@@ -157,10 +157,15 @@ Module.register("compliments", {
 	getDom: function() {
 		var complimentText = this.randomCompliment();
 
-		var compliment = document.createTextNode(complimentText);
 		var wrapper = document.createElement("div");
 		wrapper.className = this.config.classes ? this.config.classes : "thin xlarge bright";
-		wrapper.innerHTML = complimentText.replace(/\n/g, '<br>');
+		complimentText.split("\n").forEach(function(line, index) {
+			if (index > 0) {
+				wrapper.appendChild(document.createElement("br"));
+			}
+			wrapper.appendChild(document.createTextNode(line));
+
+		});
 
 		return wrapper;
 	},