Open peacememories opened 6 years ago
Since elm 0.19 seemingly won't be shipping with any static rendering capability built-in I think this issue might be relevant after all. Especially since the behaviour differs from how elm normally works. Code that was perfectly safe with pure elm suddenly becomes vulnerable when statically rendering.
Is there anything I can do to help dealing with this issue? Or is there anything I am missing and this isn't a problem after all?
(sorry if this comes across as demanding or similar. English is not my first language and I am just trying to start discussion of this issue :innocent: I appreciate that you have many projects that demand your time and am not trying to get you to reprioritize :) )
When writing normal Elm, one does not have to do much escaping to avoid xss since, for example,
Html.text
just creates a text node, which cannot be interpreted as containing any tags.When converting to html though, this library should ideally escape the contents of text nodes, so a view like
does not generate malicious html files.
I realize this project may be superceded by a native Elm workflow in 0.19, but until then I feel this is still a security concern.