Turn on allowHtml by default for RichText, document that it can be a …

…security issue in some situations
MaKleSoft · Apr 6, 2012 · 4d5c4bc · 4d5c4bc
1 parent 7f6679a
commit 4d5c4bc
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/source/ui/RichText.js b/source/ui/RichText.js
@@ -13,6 +13,12 @@ enyo.kind({
 	name: "enyo.RichText",
 	classes: "enyo-richtext enyo-selectable",
 	published: {
+		/**
+			_allowHtml_ is enabled by default in RichText to take advantage of all the rich editing properties.
+			However, this allows for **ANY** HTML to be inserted into the RichText, including _iframe_ and _script_ tags, which can be a secuity concern in some situations.
+			If set to false, inserted HTML will be escaped.
+		*/
+		allowHtml: true,
 		disabled: false,
 		value: ""
 	},