From 339f4a2e928951bfc54782d2295d5da7a7b70567 Mon Sep 17 00:00:00 2001
From: pcworld <0188801@gmail.com>
Date: Sun, 26 Apr 2020 23:01:39 +0200
Subject: [PATCH] Fix XSS security vulnerability

Using textContent instead of appending to HTML ensures that escaped HTML
characters stay escaped.
Fixes issue #88
---
 jquery.lettering.js | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/jquery.lettering.js b/jquery.lettering.js
index 70aae46..6aeeda1 100644
--- a/jquery.lettering.js
+++ b/jquery.lettering.js
@@ -13,15 +13,19 @@
 (function($){
 	function injector(t, splitter, klass, after) {
 		var text = t.text()
-		, a = text.split(splitter)
-		, inject = '';
+		, a = text.split(splitter);
 		if (a.length) {
+			t.innerHTML = '';
 			$(a).each(function(i, item) {
-				inject += '<span class="'+klass+(i+1)+'" aria-hidden="true">'+item+'</span>'+after;
+				var span = document.createElement('span');
+				span.className = klass + (i + 1);
+				span.setAttribute('aria-hidden', 'true');
+				span.textContent = item;
+				t[0].appendChild(span);
+				if (after)
+					t[0].appendChild(document.createTextNode(after));
 			});
-			t.attr('aria-label',text)
-			.empty()
-			.append(inject)
+			t.attr('aria-label',text);
 
 		}
 	}