User-controlled data is not escaped

[dleshem]

All HTML4.generateDefaultTemplate arguments are added directly to the raw HTML.

While not a vulnerability per se, it opens up an attack vector against careless users who directly pass unsanitized user-generated values, which unfortunately is a common scenario.

Consider escaping these values as a best effort to protect Oy users.

[revivek]

This is worth addressing. The only way to protect against this consistently is to escape the arguments in Oy.renderTemplate before generateDefaultTemplate and generateCustomTemplate. However, we can't do this for bodyContent, since that HTML we want to directly inject. One way to achieve this is by having Oy.renderTemplate take the top-level component in directly.

I think an update to API is in order. It also opens up opportunities for node traversal/transformation as mentioned in #33. Something like this should work.

Oy.renderTemplate(<Template />, templateOptions)

Then we can safely inject the HTML generated by renderToStaticMarkup and escape the various templateOption properties.

[dleshem]

Love the new interface, makes much more sense.

[revivek]

Great!