New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
<b-card>: "Tag" is displayed without escape in header, titlle and footer. #2245
Comments
The props for title, header, etc, support basic HTML for things like simple styling. It is up to you as the author of an app to determine what fields you will allow to contain untrusted user data. |
I think developers who need styling should use slot rather than property. In the current specification, when using Are there components other than However, I think that it is desirable to treat all property values as plain text. |
HTML tags are available for the following properties:
HTML tags are not available for the following properties:
I have examined all the way, but there may be some missing. |
Thank you for your research! |
I would prefer styled html to be used in slots only, but we har many requests to be able to pass basic html to the props. Removing this "feature" would be a breaking change for many users though. |
Compatibility is important, but if this goes on, it seems likely that this "feature" will cause XSS vulnerability on some site. The problem is that the existence of this "feature" is not obvious from the document. I think that it is necessary to specify in the document whether this feature exists for each property. The next problem is that there are properties with this feature and properties without it, and it can not predict the existence of this feature from the property name etc. Therefore, even if a complete document is released, avoiding the pitfalls of this feature is not easy. However, if we escape all the property values defensively (which I don't want to do...), undesirable texts will be displayed when we set values to properties without this feature. Does it become as follows?
Although this is a breaking change, but I think it is relatively easy to fix for users. Also, code written by users without knowing that these properties have a styling feature works on the safe side. |
|
For things like |
What about using a prop like |
Yeah, the options mixin could be updated to accept an html property, and if present, is used as inner html, and the plain text can be passed direct to createElement as the content of no html |
There are a few npm modules that can sanitize html strings, but they are rather large in size, and many still have loopholes. |
I think it is enough to give the user better control over this. Default to the safe |
Yeah. And a few other components should have similar limitations as well for when inner html is used. |
3c6ba3e seems to fix this issue. |
Hello,
"Tag" is displayed without escape in b-card's header, titlle and footer.
"script-tag" is rejected. But "img-tag" can cause alert.
Is this correct specification?
The text was updated successfully, but these errors were encountered: