New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML in title of popup #18
Comments
Thanks for flagging this. It will be a bit of a balance: Currently the entire configuration string that's passed on to the child windows is stripped of tags and a number of expressions that can be used to create XSS attacks - in order to facilitate passing HTML to popout windows (not necessarily important for the title, but for components within it as well) I think we'd need to loosen the XSS policy a bit... Sorry for the delay in that, but this needs a bit of testing to not open up attack vectors. |
Hi, allowing the set of icons on top of tabs (and other customisations) via html is very dangerous (i.e. XSS injection points), would it be possible to define (as an parameter) a number of extra classes to be added to a particular tab? |
Hi @iver56 - thanks again for pointing this out. The overall issue is fixed in the just released version 1.0.6.. @DinisCruz - Now that the configuration is passed through localStorage - would there still be a security concern? |
@hoxton-one sorry I had no time to look at this. |
Let's say that I have a tab with HTML to show an icon in it. HTML:
Problem 1) When I open that tab in a popup, the title becomes the following:
I rather want it to be just "Alarms" in this case.
Problem 2) When I "pop in" the popup, the text of the tab becomes the following:
i.e. the HTML isn't rendered, so I cannot see the icon, which I expect to see
The text was updated successfully, but these errors were encountered: