Use cssText instead of innerHTML to set theme styles.

elastic · Dec 15, 2017 · 8c43cf4 · 8c43cf4
1 parent a3ce294
commit 8c43cf4
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/src/ui/public/theme/theme.js b/src/ui/public/theme/theme.js
@@ -8,10 +8,18 @@ export function registerTheme(theme, styles) {
 export function applyTheme(newTheme) {
   currentTheme = newTheme;
 
-  // NOTE: The use of innerHTML opens up to XSS attacks, so we can't support user-generated themes
-  // as long as this implementation is in use. Ideally we would use the webpack style-loader/useable
-  // to activate and deactivate themes, but that causes the optimize step to fail.
-  document.getElementById('themeCss').innerHTML = themes[currentTheme];
+  const styleNode = document.getElementById('themeCss');
+
+  if (styleNode) {
+    const css = themes[currentTheme];
+
+    if (styleNode.styleSheet){
+      styleNode.styleSheet.cssText = css;
+    } else {
+      styleNode.appendChild(document.createTextNode(css));
+
+    }
+  }
 }
 
 export function getCurrentTheme() {