-
-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve HTML escaping helper #12383
Improve HTML escaping helper #12383
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems off that we have to write this ourselves.
I initially wanted to use https://github.com/sindresorhus/escape-goat but that module got some bloat recently so I decided to just copy the function from there. Not like this will ever change. |
The previous method did not escape single quotes which under some circumstances can lead to XSS vulnerabilites and the fact that it depends on jQuery is also not ideal. Replace it with a lightweight module.
Switched to the module again. With webpack's tree-shaking the unused parts will not be included in the output. The tagged template versions may also be useful at some point. |
🚀 |
I don't think this will need a backport. There's probably no XSS possible in the existing usage, so this is more of a refactor. |
Do we think this needs backporting? |
While I don't think it's really necessary, we can do it of course just to be safe from theoretical single-quote issues. |
The previous method did not escape single quotes which under some circumstances can lead to XSS vulnerabilites and the fact that it depends on jQuery is also not ideal. Replace it with a lightweight module.