HTML in title of popup #18
Comments
|
Thanks for flagging this. It will be a bit of a balance: Currently the entire configuration string that's passed on to the child windows is stripped of tags and a number of expressions that can be used to create XSS attacks - in order to facilitate passing HTML to popout windows (not necessarily important for the title, but for components within it as well) I think we'd need to loosen the XSS policy a bit... Sorry for the delay in that, but this needs a bit of testing to not open up attack vectors. |
|
Hi, allowing the set of icons on top of tabs (and other customisations) via html is very dangerous (i.e. XSS injection points), would it be possible to define (as an parameter) a number of extra classes to be added to a particular tab? |
|
Hi @iver56 - thanks again for pointing this out. The overall issue is fixed in the just released version 1.0.6.. @DinisCruz - Now that the configuration is passed through localStorage - would there still be a security concern? |
|
@hoxton-one sorry I had no time to look at this. |
Let's say that I have a tab with HTML to show an icon in it. HTML:
Problem 1) When I open that tab in a popup, the title becomes the following:
I rather want it to be just "Alarms" in this case.
Problem 2) When I "pop in" the popup, the text of the tab becomes the following:
i.e. the HTML isn't rendered, so I cannot see the icon, which I expect to see
The text was updated successfully, but these errors were encountered: