-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
improve xss security #840
improve xss security #840
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In some of the files util
is not imported
bc36b6e
to
54eb534
Compare
🎉 This PR is included in version 7.4.4 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Hello :) Its seems that this PR has introduced a regression because the The error :
Should i open a new issue for this ? |
Hi there, I know this is already out as a fix but this is a breaking change. XSS is basically nuking the HTML away with an extremely constrained set of exceptions. There are no forms, no classes, no styles etc. Also the thing has like 30K and for what? So that people can have the convenience of Another thing is that the configurator (which is except for reformatting identical to the code in Vis Network and really should be moved to Vis Util) doesn't really use HTML (apart from some simple wrapping, but we don't need innerHTML for that), it can be quite easily converted to innerText and no sanitation is necessary at all. |
I agree with @Thomaash, shouldn't sanitization be up to the user? For example, setting a tooltip template is now pretty useless, as you can not input any attributes to elements. |
Solution to allow classes, styles etc in elements (based on the changes that they made resolving this issue)
Be wary of XSS in this case, of course. |
I added the xss library to improve security.
fixes #838