dasDaniel
commented
1 year ago this wouldn't be a breaking change if the default behaviour was kept the same
Closed Conni2461 closed 1 year ago
dasDaniel
commented
1 year ago this wouldn't be a breaking change if the default behaviour was kept the same
Conni2461
commented
1 year ago Thats what i was trying to communicate in the description. So you want me to keep the current behaivor?
dasDaniel
commented
1 year ago I would like to prevent braking changes when possible. I think for security reasons it might be better to make that the default, so I'll bump the minor version.
Conni2461
commented
1 year ago thanks for merging :)
dasDaniel
commented
1 year ago released in v0.6.0
if you currently do rendering with either
valueorrenderValueyou have to manually escape your html because its always rendered with the html tags, which doesnt perform sanitization of the expression (https://svelte.dev/tutorial/html-tags).This can be worked around with the slot interface but that would result in a lot of additional code (at least in my code base) or it would result in the user manually doing sanitization, which isn't great for users.
This is a breaking change because it now uses sanitization by default and you have to opt out of it but i understand if you dont wanna break here, if thats the case we can make sanitization opt in. Afaik jquery-datatables also has a sanitization opt in and not on by default.