New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTML in title of popup #18

Closed
iver56 opened this Issue Nov 10, 2014 · 4 comments

Comments

Projects
None yet
3 participants
@iver56
Contributor

iver56 commented Nov 10, 2014

Let's say that I have a tab with HTML to show an icon in it. HTML:

<span class="glyphicon glyphicon-bell"></span> Alarms

Problem 1) When I open that tab in a popup, the title becomes the following:

&lt;span class="glyphicon glyphicon-bell"&gt;&lt;/span&gt; Alarms

I rather want it to be just "Alarms" in this case.

Problem 2) When I "pop in" the popup, the text of the tab becomes the following:

<span class="glyphicon glyphicon-bell"></span> Alarms

i.e. the HTML isn't rendered, so I cannot see the icon, which I expect to see

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Nov 12, 2014

Contributor

Thanks for flagging this. It will be a bit of a balance: Currently the entire configuration string that's passed on to the child windows is stripped of tags and a number of expressions that can be used to create XSS attacks - in order to facilitate passing HTML to popout windows (not necessarily important for the title, but for components within it as well) I think we'd need to loosen the XSS policy a bit...

Sorry for the delay in that, but this needs a bit of testing to not open up attack vectors.

Contributor

ghost commented Nov 12, 2014

Thanks for flagging this. It will be a bit of a balance: Currently the entire configuration string that's passed on to the child windows is stripped of tags and a number of expressions that can be used to create XSS attacks - in order to facilitate passing HTML to popout windows (not necessarily important for the title, but for components within it as well) I think we'd need to loosen the XSS policy a bit...

Sorry for the delay in that, but this needs a bit of testing to not open up attack vectors.

@DinisCruz

This comment has been minimized.

Show comment
Hide comment
@DinisCruz

DinisCruz Dec 14, 2014

Hi, allowing the set of icons on top of tabs (and other customisations) via html is very dangerous (i.e. XSS injection points), would it be possible to define (as an parameter) a number of extra classes to be added to a particular tab?

Hi, allowing the set of icons on top of tabs (and other customisations) via html is very dangerous (i.e. XSS injection points), would it be possible to define (as an parameter) a number of extra classes to be added to a particular tab?

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Dec 14, 2014

Contributor

Hi @iver56 - thanks again for pointing this out. The overall issue is fixed in the just released version 1.0.6..

@DinisCruz - Now that the configuration is passed through localStorage - would there still be a security concern?

Contributor

ghost commented Dec 14, 2014

Hi @iver56 - thanks again for pointing this out. The overall issue is fixed in the just released version 1.0.6..

@DinisCruz - Now that the configuration is passed through localStorage - would there still be a security concern?

@DinisCruz

This comment has been minimized.

Show comment
Hide comment
@DinisCruz

DinisCruz Mar 21, 2015

@hoxton-one sorry I had no time to look at this.

@hoxton-one sorry I had no time to look at this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment