You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All of the above should be safe to be interpreted as HTML. In general, any element being defined by the layout that's outside of the SVG context (so dashboard elements, tooltips, etc.) should accept arbitrary HTML where they accept arbitrary stings.
The only exception would be places where strings are being used for title attributes (e.g. LocusZoom.Dashboard.Component.Button.title) as HTML doesn't make sense in that context.
XSS is not a concern here... any <script> tags pumped through LZ's HTML generation methods would not be executed as browsers don't automatically execute dynamic script tags. And since everything's client-side anyway if somebody really wanted to execute arbitrary JS they certainly could without needing to use LZ's HTML passthroughs.
Thanks for explaining about the XSS. I always assumed the browser evaluated scripts on node.innerHTML = string, but apparently that's jquery here, not documented.
Right now,
component.text
is plain text. I'd like to use HTML for glyphicons but don't need it.component.title
is plain texttitle_component.title
is htmlmenu_component.button_html
is plain textmenu_component.menu_html
is htmlcovariates_component.button_html
is plain textShould all of these allow arbitrary HTML?
The text was updated successfully, but these errors were encountered: