As a CyclePlanet member, I want CyclePlanet to use cybersecurity best practices so that CyclePlanet does its best to protect me against cyberattacks.
As a CyclePlanet board member, I want to use a secure design so I don't end up in a situation where I'm held legally responsible for data theft or other cybersecurity incidents.
So let's use a less powerful format than arbitary HTML for marker descriptions, country wiki pages and other places where we allow users to enter text with markup. While we fixed the urgent XSS hole with #90, using HTML for this functionality at all is a very dangerous way of working. How do we really know this "v-html-safe" library really covers all possible ways to exploit HTML? How do we know W3C isn't adding new capabilities to HTML that v-html-safe doesn't cover? It's better to use Markdown or some other user-friendly microformat. I suspect that there are plenty of Javascript libraries for showing editors for Markdown and for rendering it into the DOM of a page.
As a CyclePlanet member, I want CyclePlanet to use cybersecurity best practices so that CyclePlanet does its best to protect me against cyberattacks.
As a CyclePlanet board member, I want to use a secure design so I don't end up in a situation where I'm held legally responsible for data theft or other cybersecurity incidents.
So let's use a less powerful format than arbitary HTML for marker descriptions, country wiki pages and other places where we allow users to enter text with markup. While we fixed the urgent XSS hole with #90, using HTML for this functionality at all is a very dangerous way of working. How do we really know this "v-html-safe" library really covers all possible ways to exploit HTML? How do we know W3C isn't adding new capabilities to HTML that v-html-safe doesn't cover? It's better to use Markdown or some other user-friendly microformat. I suspect that there are plenty of Javascript libraries for showing editors for Markdown and for rendering it into the DOM of a page.