Given I have some html text that I want to display in ui.table, together with other markdown text in the the same column. I want to prevent code injection attacks, so I am using html.escape() on all text first.
When rendering in Wave, some escaped html characters are not visualized correctly:
This gets even more complex when combined with code fields. In this case, I would not want to escape anything inside the code blocks, but escape anything outside of them to prevent code injection.
Wave SDK Version, OS
Wave 1.5.1
Actual behavior
Given I have some html text that I want to display in ui.table, together with other markdown text in the the same column. I want to prevent code injection attacks, so I am using html.escape() on all text first.
When rendering in Wave, some escaped html characters are not visualized correctly:
escaped csv
so, somehow
<ul>
gets visualized correctly while<li><label for="usermail">Email</label>
is rendered with escaped strings<
.Expected behavior
Render escaped markdown in ui.table()
Potential improvement
Add a flag to force safe rendering in ui.table() to reduce the risk of code injection.