Yes, I saw that helper (I searched for it name) :) Yes, it's exactly what I mean: put this in one of the limites of the workflow and never in the middle. That's my opinion.
Harbs <harbs.li...@gmail.com> escreveu no dia terça, 18/10/2022 à(s) 08:06: > There’s a sanitizeHTML helper function that’s relatively new. > > I don’t have a strong opinion on whether it should be sanitized by default > or that should be the application developer’s responsibility. > > As far as PAYG is concerned, it’s better to put the responsibility on the > app developer. > > As far as security is concerned, it would be better to sanitize in the > framework. > > I personally would give precedence to PAYG because the threat of a XSS > attack using innerHTML is a bit of a stretch in Royale. > > We should come up with a policy, document it, and stick to it across the > framework. > > If we do sanitize in the components, it should probably happen in the > model setter. > > What do others think? > > > On Oct 18, 2022, at 2:32 AM, Hugo Ferreira <hferreira...@gmail.com> > wrote: > > > > Thank you very much. > > I see the bug. > > I hope that the Label (html property) that FormHeading that depends on, > > doesn't have the same issue :) > > > > About the sanitize: > > Should this be really a reponsibility of FormHeadingView !? > > Shouldn't the responsibility on one of the edges (the limit of html > > property core or on the end application) ? > > In the middle, we could ending "sanitizing" too much just to be ensure. > > > > > > > > Harbs <harbs.li...@gmail.com> escreveu no dia segunda, 17/10/2022 à(s) > > 19:25: > > > >> I assume this is Jewel. I don’t use Jewel, but I just looked at > >> FormHeadingView and textChangeHandler is used for both textChange and > >> htmlChange. In both cases it sets the text rather than html in the > >> htmlChange case. That seems to be broken. > >> > >> If you fix this, make sure the html is sanitized when applied. > >> > >> Harbs > >> > >>> On Oct 16, 2022, at 5:17 PM, Hugo Ferreira <hferreira...@gmail.com> > >> wrote: > >>> > >>> Hi, > >>> > >>> I'm using FormHeading when I have a lot of fields and want to create a > >>> vertical separation (group of data). > >>> It's OK, however I needed now to use in the FormHeading texto some HTML > >>> (basic stuff like strong and br), however the property "text" of > >>> FormHeading it's for simple real strings and not HTML. > >>> I saw the html property, however this property does nothing. > >>> It's something that it's not already implemented in the core or I'm > >> missing > >>> something ? > >>> > >>> I saw tht I can workaround, using a pure html:Div with innerHTML but I > >> have > >>> read in the past that I should avoid it. > >> > >> > >
