justin-schroeder
commented
2 years ago Yeah, this 100% isn't supposed to happen. should be doing an innerText assignment for some reason it isnt, but that should be fairly easy to get fixed I think.
Closed jaredkrinke closed 1 year ago
justin-schroeder
commented
2 years ago Yeah, this 100% isn't supposed to happen. should be doing an innerText assignment for some reason it isnt, but that should be fairly easy to get fixed I think.
In templates, is there any way to distinguish plain text content from HTML content? Or does the caller need to always escape arbitrary text values?
As a contrived example, in the docs under the "Event" header, if I type
<b>bold!into the text box, bold text appears, so it seems I can insert arbitrary HTML. That's fine for hard-coded values, but seems like a security issue for anything derived from user input.For what it's worth, I like the minimal, modern JS-based approach of ArrowJS, but this seems like a potential footgun :)