-
Notifications
You must be signed in to change notification settings - Fork 610
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape HTML characters in list of suggestions #17189
base: gh-pages
Are you sure you want to change the base?
Conversation
> > fix LeaVerou#16932 > > Generate manual DOM subtree for each marked instance of the queried string instead of generating an unsafe HTML string
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Dom!
Thanks for contributing!
It looks like this is something that could be done much more succinctly, by using a function in the second argument of replace()
that creates a <mark>
element, sets its textContent
, then returns its innerHTML
. But it's entirely possible I may be missing something here!
Also, please follow the conventions & code style of the project, namely:
Use tabs instead of spaces for indentation Use $.create to create DOM elements instead of document.createElement
I have hopefully adjusted the code to the coding style. I may be missing something for the |
Thanks!
That made me realize that as currently written, this is backwards incompatible: HTML in options works right now, whereas if this is merged, it would stop working and possibly break numerous use cases. Ideally we want something that keeps HTML that was there from the beginning, but doesn't convert special characters to HTML when highlighting them. I.e. something that's XSS-safe, but doesn't restrict what you can do in the initial options. Does that make sense? |
re backwards-compatibility, I don't think it can be preserved:
I guess we could make the new behavior opt-in - but given the XSS risks and the existing ambiguity, it seems to me making it the default would be better. That being said, I could imagine making it possible to opt-out of the new behavior (e.g. through a new option) - this would imply adapting the way the labels gets displayed in the |
I believe that's fine, e.g. many use cases are about displaying graphics next to the suggestions.
Good point, that should be prevented (though I'm still not sure if it should be the default at this point). However, if there's HTML in the initial options, included in the page's markup, that should be preserved, no? I noticed that the current behavior is definitely buggy: If you include
I wonder if it would be an easier transition to make it opt-in in this version, and announce that it's going to be default behavior in the next one, and people should use the option now if they need it. |
I have looked a bit more into this, and I think there are the following bugs in the way HTML values or labels are handled:
Here is how I think HTML in the list of suggestions could be properly supported with reduced XSS risks:
This would imply adopting the code to handle differently text and DOM fragments, and converting DOM fragments to text via What do you think? (I'm leaving aside the backwards-compatibility question for now - I feel it will be easier to consider it once the end goal is clearer) |
fix #16932
Generate manual DOM subtree for each marked instance of the queried string instead of generating an unsafe HTML string