-
-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(login): add login disclaimer #392
Conversation
ferferga
commented
Dec 15, 2020
Kudos, SonarCloud Quality Gate passed!
|
Emby somewhen in the past removed the possibility to add HTML code via the branding function. (Somebody used it to add a donate button and if I remember correct the official excuse was that the stores do not accept custom content) |
With this PR it will only appear as text. We shouldn't allow that by any means as it can lead to XSS, so good thing you brought this up I think that we should do all the handling client side. |
I understand that it can lead to security risks, but how about allowing just basic thinks a likes for example to a legal notice, the data protection policy or maybe to the project itself? |
@Nickbert7 I see your point but imo that's over complication for a thing that's intended to be really basic. We can spend the same time it could take us to do this on things that are more worth it. People that want that level of customization for the disclaimer are probably already building their own versions of the client. Anyway, this is my opinion, you should open a discussion so this can be brought to the attention of more people, as in this PR will probably go unnoticed. |
It is not such important for me. (As I use it for private purposes and most of my friends will stay signed in and never see those links regularly)
|
I agree with ferferga. We shouldn't be using HTML in these places. In the future, we might be able to use a custom Vue component. But that is some way down the line. As Nick mentioned, custom themes should definitely be implemented, although with scoped styles, this could be tricky to change specific areas of the client. |
Do note that we hoist dompurify specifically for these use cases. While I'm not for complete HTML in the branding, I think allowing a few basic things like bold, italics, etc would be nice. Though I also believe that Markdown is a better fit for it than straight HTML. |
Address review comments of #392