New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Selection: Deprecate Selection::html #375

Closed
jmsmyth opened this Issue Jan 17, 2017 · 4 comments

Comments

Projects
None yet
3 participants
@jmsmyth
Copy link
Contributor

jmsmyth commented Jan 17, 2017

If used incorrectly, it can increase the chance of adding xss vulnerabilities. So probably best to remove it from the api

@jmsmyth jmsmyth added this to the Pre 2.0.0 milestone Jan 17, 2017

@georgesimms

This comment has been minimized.

Copy link
Contributor

georgesimms commented Jan 31, 2017

You should also investigate places where html strings are passed as parameters eg deprecate the Dropdown constructor that uses it.

@georgesimms

This comment has been minimized.

Copy link
Contributor

georgesimms commented Jan 31, 2017

Modules that currently seem to use Selection::html -

  • Dropdown
  • Paginator (can trivially be replaced with fluid icons)
  • Sidebar (ditto)
  • Tree

Several tests also use the html getter. Maybe we can get away with just deprecating the setter ?

@georgesimms

This comment has been minimized.

Copy link
Contributor

georgesimms commented Jan 31, 2017

Do we also want to deprecate hx.parseHTML for the same reason ?

@jmsmyth

This comment has been minimized.

Copy link
Contributor

jmsmyth commented Jan 31, 2017

Yes, I think so

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment