If I need to prove (to the best of my ability) that my app is protected against XSS with regards to innerHTML / innerText, how am I supposed to do this?
There are three possible protectors (normally): a. The browser. The browsers will not able to do this automatically, even with proposed standards. b. The framework. c. The application code. With Label, for example, currently only htmlText = S will use innerHTML. But there could be a multitude of other APIs that eventually cause framework code to set innerHTML. It seems a monumental effort for the developer to grep for all possible API calls that might somehow end up doing an innerHTML = X in the framework, perhaps after layers and layers of calls. (And the developer may not be familiar with the app code, either.) That leaves the framework. Seems pretty easy to grep for all uses of innerHTML / innerText to validate it. (And application code that uses innerHTML / innerText directly can be validated like that, too, of course.) Browsers are going to have HTML Sanitizer API some day: https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API How is the application code suppose to even use this, if the framework doesn't have a hook? You really want to force apps to do sanitizeFor(...).innerHTML? That will cause double-parsing (since the framework eventually does innerHTML = X on that value) and potential side-effects if the two parses don't match due to context. As for use cases, if something like Label or UITextField or such is used in a List, and dataProvider comes from remote data, I would think it's pretty easy to get into trouble if someone where to use htmlText = S for display. But that's just theoretical. I'm actually not very familiar with how often the htmlText property is used in the libraries. I see that MX LegendItem seems to use it, but maybe that's an outlier. But htmlText is not the only place where innerHTML / innerText might be used, so I don't want to focus just on that. You don't know what Royale contributors might use innerHTML / innerText for in the future, but you could insist that they always call the sanitizer hook. On 12/10/2021 4:27 AM, Harbs wrote: > Sanitizing what? And why? > > What is the use case which is “dangerous”? > >> On Dec 10, 2021, at 11:49 AM, Edward Stangler wrote: >> >> >> My mistake. >> >> Definitely should be sanitizing. If you want PAYG, then make it default >> (some global function) and something that can be overridden by those who >> want to live dangerously.