Fix AJAX example handling of query parameters

romaricpascal · romaricpascal · commit c72be5b71a39 · 2025-11-18T17:09:08.000Z
The example was injecting the query parameters as HTML,
which allowed for arbitrary javascript to be ran (for ex. through
an `onerror` attribute on an image).

As the value only needs displaying, the query parameter
is now displayed via text content.
diff --git a/examples/ajax-source.html b/examples/ajax-source.html
@@ -292,8 +292,7 @@ <h1>Accessible Autocomplete AJAX source example</h1>
         var submittedEl = document.querySelector('.submitted')
         submittedEl.classList.remove('submitted--hidden')
         var params = new URLSearchParams(document.location.search.split('?')[1])
-        document.querySelector('.submitted__last-location').innerHTML = params.get('last-location')
-        document.querySelector('.submitted__passport-location').innerHTML = params.get('passport-location')
+        document.querySelector('.submitted__last-location').textContent = params.get('last-location')
       }
     </script>
   </body>
