From 0d315a2fba4dc2c4734ddd62e703d7e1dfa8ab1f Mon Sep 17 00:00:00 2001
From: Romaric Pascal <romaric.pascal@digital.cabinet-office.gov.uk>
Date: Tue, 18 Nov 2025 17:09:08 +0000
Subject: [PATCH] Fix handling of query parameters in examples

The examples were injecting the query parameters as HTML,
which allowed for arbitrary javascript to be ran (for ex. through
an `onerror` attribute on an image).

As the values in the query parameters only needs displaying, the query parameter
is now displayed via text content.
---
 examples/ajax-source.html | 3 +--
 examples/form-single.html | 2 +-
 examples/form.html        | 4 ++--
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/examples/ajax-source.html b/examples/ajax-source.html
index 9f59bb8b..ad2c42fc 100644
--- a/examples/ajax-source.html
+++ b/examples/ajax-source.html
@@ -292,8 +292,7 @@ <h1>Accessible Autocomplete AJAX source example</h1>
         var submittedEl = document.querySelector('.submitted')
         submittedEl.classList.remove('submitted--hidden')
         var params = new URLSearchParams(document.location.search.split('?')[1])
-        document.querySelector('.submitted__last-location').innerHTML = params.get('last-location')
-        document.querySelector('.submitted__passport-location').innerHTML = params.get('passport-location')
+        document.querySelector('.submitted__last-location').textContent = params.get('last-location')
       }
     </script>
   </body>
diff --git a/examples/form-single.html b/examples/form-single.html
index f03b7ec9..7870fafe 100644
--- a/examples/form-single.html
+++ b/examples/form-single.html
@@ -374,7 +374,7 @@ <h1>Accessible Autocomplete single field form example</h1>
         var submittedEl = document.querySelector('.submitted')
         submittedEl.classList.remove('submitted--hidden')
         var params = new URLSearchParams(document.location.search.split('?')[1])
-        document.querySelector('.submitted__last-location').innerHTML = params.get('last-location')
+        document.querySelector('.submitted__last-location').textContent = params.get('last-location')
       }
     </script>
   </body>
diff --git a/examples/form.html b/examples/form.html
index 8f43d327..bc67dceb 100644
--- a/examples/form.html
+++ b/examples/form.html
@@ -665,8 +665,8 @@ <h1>Accessible Autocomplete form example</h1>
         var submittedEl = document.querySelector('.submitted')
         submittedEl.classList.remove('submitted--hidden')
         var params = new URLSearchParams(document.location.search.split('?')[1])
-        document.querySelector('.submitted__last-location').innerHTML = params.get('last-location')
-        document.querySelector('.submitted__passport-location').innerHTML = params.get('passport-location')
+        document.querySelector('.submitted__last-location').textContent = params.get('last-location')
+        document.querySelector('.submitted__passport-location').textContent = params.get('passport-location')
       }
     </script>
   </body>