Content of text nodes is not escaped

eeue56 / elm-static-html

Statically render html from Elm!

BSD 3-Clause "New" or "Revised" License

87 stars 10 forks source link

Content of text nodes is not escaped #14

Open peacememories opened 6 years ago

peacememories commented 6 years ago

When writing normal Elm, one does not have to do much escaping to avoid xss since, for example, Html.text just creates a text node, which cannot be interpreted as containing any tags.

When converting to html though, this library should ideally escape the contents of text nodes, so a view like

view : Html msg
view =
   Html.text "<script>//do evil stuff</script>"

does not generate malicious html files.

I realize this project may be superceded by a native Elm workflow in 0.19, but until then I feel this is still a security concern.

peacememories commented 6 years ago

Since elm 0.19 seemingly won't be shipping with any static rendering capability built-in I think this issue might be relevant after all. Especially since the behaviour differs from how elm normally works. Code that was perfectly safe with pure elm suddenly becomes vulnerable when statically rendering.

Is there anything I can do to help dealing with this issue? Or is there anything I am missing and this isn't a problem after all?

(sorry if this comes across as demanding or similar. English is not my first language and I am just trying to start discussion of this issue :innocent: I appreciate that you have many projects that demand your time and am not trying to get you to reprioritize :) )