There’s a sanitizeHTML helper function that’s relatively new. I don’t have a strong opinion on whether it should be sanitized by default or that should be the application developer’s responsibility.
As far as PAYG is concerned, it’s better to put the responsibility on the app developer. As far as security is concerned, it would be better to sanitize in the framework. I personally would give precedence to PAYG because the threat of a XSS attack using innerHTML is a bit of a stretch in Royale. We should come up with a policy, document it, and stick to it across the framework. If we do sanitize in the components, it should probably happen in the model setter. What do others think? > On Oct 18, 2022, at 2:32 AM, Hugo Ferreira <hferreira...@gmail.com> wrote: > > Thank you very much. > I see the bug. > I hope that the Label (html property) that FormHeading that depends on, > doesn't have the same issue :) > > About the sanitize: > Should this be really a reponsibility of FormHeadingView !? > Shouldn't the responsibility on one of the edges (the limit of html > property core or on the end application) ? > In the middle, we could ending "sanitizing" too much just to be ensure. > > > > Harbs <harbs.li...@gmail.com> escreveu no dia segunda, 17/10/2022 à(s) > 19:25: > >> I assume this is Jewel. I don’t use Jewel, but I just looked at >> FormHeadingView and textChangeHandler is used for both textChange and >> htmlChange. In both cases it sets the text rather than html in the >> htmlChange case. That seems to be broken. >> >> If you fix this, make sure the html is sanitized when applied. >> >> Harbs >> >>> On Oct 16, 2022, at 5:17 PM, Hugo Ferreira <hferreira...@gmail.com> >> wrote: >>> >>> Hi, >>> >>> I'm using FormHeading when I have a lot of fields and want to create a >>> vertical separation (group of data). >>> It's OK, however I needed now to use in the FormHeading texto some HTML >>> (basic stuff like strong and br), however the property "text" of >>> FormHeading it's for simple real strings and not HTML. >>> I saw the html property, however this property does nothing. >>> It's something that it's not already implemented in the core or I'm >> missing >>> something ? >>> >>> I saw tht I can workaround, using a pure html:Div with innerHTML but I >> have >>> read in the past that I should avoid it. >> >>
