klaro-org / klaro-js

Klaro Privacy Manager. An open-source, privacy-friendly & compliant consent manager for your website.
https://klaro.org
Other
1.19k stars 254 forks source link

Inline HTML within descriptions #76

Closed kalnode closed 4 years ago

kalnode commented 5 years ago

Is there a way to put inline HTML within descriptions?

For example:

        consentModal: {
                description:
                    'text <br /> text text text.'
            },
BhaveshSGupta commented 5 years ago

@TheMangoTrain, where you able to find solution for this?

jaller94 commented 5 years ago

This would almost certainly require unsafe insertion of HTML.. Do you know a safe way to do this?

Is this about basic formatting like Markdown or full featured "Let's allow <script> and <iframe> inside of descriptions"?

robcain commented 4 years ago

i'd like to second this requirement/feature please.

it is severely limiting to have no use of even basic html content formatting, lists, links, line/para breaks, whatever, in these descriptions. none of this is unsafe ii think.

as for and script or iframe tags etc - safer to strip out, i agree - although, since such elements can be created anyway using simple js/dom, and 'assuming' config data cant get hijacked or leak around the server, and providing it doesn't physically break your js code. - the possible applications might still outweigh any extra risks/exposure.

adewes commented 4 years ago

I understand your point but allowing arbitrary formatting of the description text would make it hard for us to provide a consistent UI. Why would you need for example line breaks or headlines? Can you give me a concrete example of a description where you feel you're limited by plain text? For me, a description shoud be a short, succint text that says in plain language what the given app does.

If we add rich-text long-form descriptions I would do it so that they are displayed only on demand. I can imagine that we support Markdown, which would be easier to implement and can be reasonably sanitized.

I will put this on our feature roadmap, please send me examples of text / content that you would like to show for individual apps.

adewes commented 4 years ago

No input from your side @robcain?

robcain commented 4 years ago

Hi Adews,

Thanks for your response. Sorry for my delayed reply. And thanks for your work on this code by the way - it really is appreciated.

To answer your questions:

As an example, I have two categories of cookie defined - 'Essential' and 'Non-essential'' - within the short description of each I want to be able to display a simple, LEGIBLE list of the cookies & their respective purposes - and say briefly what the impact of disallowing them will be.

Another example, I have defined a group of (non-essential) '3rd party cookies' and I wish to list them - within a single optional category, and I wish to provide a single html link to each of those 3rd parties' cookies declaration.

Yet another, I which to highlight (style) some single words - eg: '...some minor functionality may be unavailable if deactivated...', or '...NOT... retained... ' - in any event to make copy easy to pick out read and understand, rather than a great block of words.

(Providing fine granular control over each individual cookie activation iss overkill in my case, and for many applications where we just want to present the user with a simple, easy, on-or-off decision, allowing the user to get on with his/her day - which is what THEY want ).

I could easily come up with other examples, but these are REAL requirements for me here and now.

Within the range of variability afforded by allowing some simple HTML mark-up, I can't really see that a ' consistent UI', down to this level of granularity is strictly necessarily, nor even desirable here. The fact it is changeable text in the first place, suggests not; since this is arguably more 'content', than UI (flow/logic/data) anyway.

You seem to be assuming that simply because you personally are unable to imagine a valid use scenario, means that there cannot possibly be any. That is wrong thinking, I think. I suspect others contributing here might agree.

Thanks for your help Adews.

adewes commented 4 years ago

Cool, I'll think about how we can implement this!

cjk2 commented 4 years ago

Hello, I would also like it very much if you could at least mark the explanatory text with HTML. Is there already a time schedule?

Stekowus commented 4 years ago

I would love this feature! I would like to work with funny Headlines like " Mjammi, Cookies!" or stuff like that. I would also like to reduce the letters written in one line with a line break.. So that it is easy to read Typography is a nice way to communicate with customers. Why not use it?

ckidow commented 4 years ago

Upvoting this feature.

Maybe you guys can use this

larslehners commented 4 years ago

+1

robinson2 commented 4 years ago

+1

adewes commented 4 years ago

Hey everyone! In the consent notice and consent modal you can now use the extraHTML parameter to display arbitrary HTML content along with the normal text description, see here for an example:

https://github.com/kiprotect/klaro/blob/master/dist/config.js

I'm not sure if we will implement this for the app descriptions as well since they should follow the same style in order to be easy to understand and not misleading. We are thinking about a way to add more detailed information for each app though, which you could reveal if necessary. That information could then support HTML content.

That said it's also always a (albeit small) security risk to enable arbitrary HTML embedding, so we're really trying to keep the attack surface as small as possible.

adewes commented 4 years ago

We updated the config with a htmlTexts value that enables HTML parsing for the consent notice and consent modal texts, I think this resolves this issue.

robinson2 commented 4 years ago

The possibility to use html tags Tags like <em>, <strong> and <br /> in descriptions would be nice.