feat(login): add login disclaimer

[ferferga]

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[Nickbert7]

Emby somewhen in the past removed the possibility to add HTML code via the branding function. (Somebody used it to add a donate button and if I remember correct the official excuse was that the stores do not accept custom content)
Was this "removal" server-side or part of the web client?
Basically my question is: Can I add a html link via the branding function or will it be again just text?

[ferferga]

Emby somewhen in the past removed the possibility to add HTML code via the branding function. (Somebody used it to add a donate button and if I remember correct the official excuse was that the stores do not accept custom content)
Was this "removal" server-side or part of the web client?
Basically my question is: Can I add a html link via the branding function or will it be again just text?

With this PR it will only appear as text.

We shouldn't allow that by any means as it can lead to XSS, so good thing you brought this up

I think that we should do all the handling client side.

[Nickbert7]

Emby somewhen in the past removed the possibility to add HTML code via the branding function. (Somebody used it to add a donate button and if I remember correct the official excuse was that the stores do not accept custom content)
Was this "removal" server-side or part of the web client?
Basically my question is: Can I add a html link via the branding function or will it be again just text?

With this PR it will only appear as text.

We shouldn't allow that by any means as it can lead to XSS, so good thing you brought this up

I think that we should do all the handling client side.

I understand that it can lead to security risks, but how about allowing just basic thinks a likes for example to a legal notice, the data protection policy or maybe to the project itself?

[ferferga]

@Nickbert7 I see your point but imo that's over complication for a thing that's intended to be really basic. We can spend the same time it could take us to do this on things that are more worth it.

People that want that level of customization for the disclaimer are probably already building their own versions of the client.

Anyway, this is my opinion, you should open a discussion so this can be brought to the attention of more people, as in this PR will probably go unnoticed.

[Nickbert7]

It is not such important for me. (As I use it for private purposes and most of my friends will stay signed in and never see those links regularly)
It just have remembered what has changed in the past and I thought about what could be possible via the branding and customs CSS feature.
This could also be important if you add custom themes in the future.
Should they:

• change colors
• change colors and change sizes
• change colors, change sizes and chage content
• change colors, change sizes, change content and add new content

[camc314]

I agree with ferferga. We shouldn't be using HTML in these places.

In the future, we might be able to use a custom Vue component. But that is some way down the line.

As Nick mentioned, custom themes should definitely be implemented, although with scoped styles, this could be tricky to change specific areas of the client.

[heyhippari]

We shouldn't allow that by any means as it can lead to XSS, so good thing you brought this up

Do note that we hoist dompurify specifically for these use cases.

While I'm not for complete HTML in the branding, I think allowing a few basic things like bold, italics, etc would be nice. Though I also believe that Markdown is a better fit for it than straight HTML.