3

I’m getting this security error on GitHub:

DOM text is reinterpreted as HTML without escaping meta-characters.CodeQL

For this part of the code:

var url = window.location.href;
var title = $('title').text();
$(document).ready(function() {
    $("#shareit").html("<mobileshare3 class='mobileshare3'><a href='https://pinterest.com/pin/create/button/?url="+url+
        "&amp;media="+url+"&amp;description="+title+"' rel='noreferrer' target='_blank' title='شارك على بانتيراست'>"+
        "<i class='fab fa-pinterest'></i></a></mobileshare3><mobileshare5 class='mobileshare5'><a class='whatsapp' href='whatsapp://send?text="+
        title+" "+url+"' rel='noreferrer' target='_top' title='شارك على واتساب'><i class='fab fa-whatsapp'></i></a></mobileshare5>"+
        "<mobileshare4 class='mobileshare4'><a href='https://t.me/share/url?url="+url+"&text="+title+
        "' rel='noreferrer' target='_blank' title='شارك على تيليغرام'><i class='fab fa-telegram-plane'></i></a></mobileshare4><mobileshare class='mobileshare'><a href='https://www.facebook.com/sharer.php?u="+
        url+"&t="+title+"' rel='noreferrer' target='_blank' title='شارك على فايسيوك'><i class='fab fa-facebook'></i></a></mobileshare>");
});
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<div id="shareit">
Adel Benyahia
  • 233
  • 3
  • 10
  • [CodeQL](https://codeql.github.com/) (GitHub) – Peter Mortensen Nov 26 '21 at 22:44
  • What do you mean by *"without escaping meta-characters.CodeQL"* (seems incomprehensible)? E.g., do you mean *"without escaping in file meta-characters.CodeQL"*? Or *"without escaping meta-characters in CodeQL"*? Or something else? Please respond by [editing (changing) your question](https://stackoverflow.com/posts/69594064/edit), not here in comments (***without*** "Edit:", "Update:", or similar - the question should appear as if it was written today). – Peter Mortensen Nov 26 '21 at 22:44

1 Answers1

0
$(document).ready(function() {
    $(`#shareit`).html(`<mobileshare3 class='mobileshare3'><a href='https://pinterest.com/pin/create/button/?url=`${url}
        `&amp;media=`${url}`&amp;description=`${title}`' rel='noreferrer' target='_blank' title='شارك على بانتيراست'>`+
        `<i class='fab fa-pinterest'></i></a></mobileshare3><mobileshare5 class='mobileshare5'><a class='whatsapp' href='whatsapp://send?text=`+
        title+` `${url}`' rel='noreferrer' target='_top' title='شارك على واتساب'><i class='fab fa-whatsapp'></i></a></mobileshare5>`+
        `<mobileshare4 class='mobileshare4'><a href='https://t.me/share/url?url=`${url}`&text=`${title}
        `' rel='noreferrer' target='_blank' title='شارك على تيليغرام'><i class='fab fa-telegram-plane'></i></a></mobileshare4><mobileshare class='mobileshare'><a href='https://www.facebook.com/sharer.php?u=`+
        url+`&t=`${title}`' rel='noreferrer' target='_blank' title='شارك على فايسيوك'><i class='fab fa-facebook'></i></a></mobileshare>`);
});
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Cool Coding Tamil
  • 47
  • 5
  • You can use template literals instead of using double quotes. – Cool Coding Tamil Oct 16 '21 at 09:50
  • thinks but isn't the same as the above function? with the same result? – Adel Benyahia Oct 17 '21 at 09:36
  • I can understand what you are saying @Adel Benyahia but still, the error is "DOM text is reinterpreted as HTML without escaping meta-characters", the text has been interrupted during the compilation, if we use template literals the text can be escaped by that. Hence, we can notice the same result but the method is quite different. – Cool Coding Tamil Oct 17 '21 at 09:40
  • yes, the same result without the error "DOM text is reinterpreted as HTML without escaping meta-characters". thinks @cool Coding Tamil – Adel Benyahia Oct 17 '21 at 16:04
  • An explanation would be in order. E.g., what did you change and why? Please respond by [editing (changing) your answer](https://stackoverflow.com/posts/69594434/edit), not here in comments (***without*** "Edit:", "Update:", or similar - the answer should appear as if it was written today). – Peter Mortensen Nov 05 '21 at 00:22