MaximBalaganskiy
commented
5 years ago That's going to be a breaking change. I'm inclined to hold on till the upgrade to Aurelia vNext.
Closed FINDarkside closed 5 years ago
MaximBalaganskiy
commented
5 years ago That's going to be a breaking change. I'm inclined to hold on till the upgrade to Aurelia vNext.
FINDarkside
commented
5 years ago While it's a breaking change, the current state exposes many people to XSS as they don't know the data labeled as text is really handled as html. Even more so, because this is Aurelia, and there's really no need for parsing attributes as html. The content should be exposed as a slot instead. I get that it's done the way it is, because of how materialize work, but it's not reasonable to expect developers to know this. Pretty much the only way to find about this is by specifically testing every component for xss, or by reading all the source code in this repo. Even if you decide to not make the change yet, you should at least make a big warning about it.
toastService and tooltip use
messageandtextfields for content which does not adequately convey that the content is actually rendered as html instead of text.