Styling, yes. Spans within the label? Not so sure. We could just sanitize the HTML automatically, but I’m not sure how much overhead that has.
We could possibly take a middle approach: Check if the label has a “<“ character. If yes, sanitize. If not, don’t. Although I wouldn’t be surprised if the goog library already does something similar... > On Dec 12, 2021, at 4:21 PM, Andrew Wetmore <cottag...@gmail.com> wrote: > > I would think that styling text in buttons would be pretty common > across the Flex universe. > > Does there need to be documentation about this threat and our steps to > secure Royale from it? > > On Sun, Dec 12, 2021 at 9:44 AM Harbs <harbs.li...@gmail.com> wrote: > >> At the expense of performance? How common was setting styled text in >> buttons? >> >> I could go either way on this. >> >>> On Dec 12, 2021, at 2:57 PM, Yishay Weiss <yishayj...@hotmail.com> >> wrote: >>> >>> Haven’t been following this closely enough to understand the overhead >> involved, but if it’s not big then retaining backwards compatibility in >> emulation should take priority IMO. For other component sets I wouldn’t say >> that. >> >> > > -- > Andrew Wetmore > > Editor, Moose House Publications <https://moosehousepress.com/> > Editor-Writer, The Apache Software Foundation <https://apache.org/>
