Use textContent instead of innerHTML

Previously, setting `innerHTML` was used to display the statuses.  These
could include content communicated from the remote VNC server, allowing
the remove VNC server to inject HTML into the noVNC page.

This commit switches all uses of `innerHTML` to use `textContent`, which
is not vulnerable to the HTML injection.

include/ui.js

@@ -285,7 +285,7 @@ var UI;
 
             if (typeof(msg) !== 'undefined') {
                 $D('noVNC_control_bar').setAttribute("class", klass);
-                $D('noVNC_status').innerHTML = msg;
+                $D('noVNC_status').textContent = msg;
             }
 
             UI.updateVisualState();
@@ -360,9 +360,9 @@ var UI;
             clearTimeout(UI.popupStatusTimeout);
 
             if (typeof text === 'string') {
-                psp.innerHTML = text;
+                psp.textContent = text;
             } else {
-                psp.innerHTML = $D('noVNC_status').innerHTML;
+                psp.textContent = $D('noVNC_status').textContent;
             }
             psp.style.display = "block";
             psp.style.left = window.innerWidth/2 -

tests/arrays.js

@@ -36,7 +36,7 @@ if (Util.Engine.trident) {
 function message(str) {
     //console.log(str);
     cell = $D('messages');
-    cell.innerHTML += str + newline;
+    cell.textContent += str + newline;
     cell.scrollTop = cell.scrollHeight;
 }
 

tests/base64.html

@@ -20,7 +20,7 @@
     function debug(str) {
         console.log(str);
         cell = $D('debug');
-        cell.innerHTML += str + "\n";
+        cell.textContent += str + "\n";
         cell.scrollTop = cell.scrollHeight;
     }
 

tests/canvas.html

@@ -42,7 +42,7 @@
         function message(str) {
             console.log(str);
             cell = $D('messages');
-            cell.innerHTML += msg_cnt + ": " + str + "\n";
+            cell.textContent += msg_cnt + ": " + str + "\n";
             cell.scrollTop = cell.scrollHeight;
             msg_cnt += 1;
         }

tests/cursor.html

@@ -35,7 +35,7 @@
     function debug(str) {
         console.log(str);
         cell = $D('debug');
-        cell.innerHTML += str + "\n";
+        cell.textContent += str + "\n";
         cell.scrollTop = cell.scrollHeight;
     }
 

tests/input.html

@@ -44,7 +44,7 @@
         function message(str) {
             console.log(str);
             cell = $D('messages');
-            cell.innerHTML += msg_cnt + ": " + str + newline;
+            cell.textContent += msg_cnt + ": " + str + newline;
             cell.scrollTop = cell.scrollHeight;
             msg_cnt++;
         }

tests/viewport.html

@@ -56,7 +56,7 @@
         function message(str) {
             console.log(str);
             cell = $D('messages');
-            cell.innerHTML += msg_cnt + ": " + str + newline;
+            cell.textContent += msg_cnt + ": " + str + newline;
             cell.scrollTop = cell.scrollHeight;
             msg_cnt++;
         }

tests/vnc_perf.html

@@ -64,7 +64,7 @@
         function msg(str) {
             console.log(str);
             var cell = $D('messages');
-            cell.innerHTML += str + "\n";
+            cell.textContent += str + "\n";
             cell.scrollTop = cell.scrollHeight;
         }
         function dbgmsg(str) {
@@ -88,7 +88,7 @@
                     break;
             }
             if (typeof mesg !== 'undefined') {
-                $D('VNC_status').innerHTML = mesg;
+                $D('VNC_status').textContent = mesg;
             }
         }
 

tests/vnc_playback.html

@@ -51,7 +51,7 @@
         function message(str) {
             console.log(str);
             var cell = $D('messages');
-            cell.innerHTML += str + "\n";
+            cell.textContent += str + "\n";
             cell.scrollTop = cell.scrollHeight;
         }
 
@@ -78,7 +78,7 @@
                     break;
             }
             if (typeof msg !== 'undefined') {
-                $D('VNC_status').innerHTML = msg;
+                $D('VNC_status').textContent = msg;
             }
         }
 

vnc_auto.html

@@ -152,7 +152,7 @@
 
             if (typeof(msg) !== 'undefined') {
                 sb.setAttribute("class", "noVNC_status_" + level);
-                s.innerHTML = msg;
+                s.textContent = msg;
             }
         }