Closed Libter closed 4 years ago
Let's sum this up and then decide if backend need changes. Correct me if I'm wrong (slept recently only 1h).
With REST API based app, endpoint should return messages (strings) as it is. Then frontend should escape characters to prevent XSS. Backend should not alter message because it may prevent proper data analyzing.
By default Vue escapes html when using {{ }}
so it should be ok.
Backend should not alter message because it may prevent proper data analyzing.
I totally agree, let's just don't escape '
character.
To add confusion, v2 panel have it own quirks with escaping 😱 I need to add draft of submitting tickets on v3 to check if it's only v2 problem or v3 needs some work, currently it's hard to tell.
Why some characters (for example
'
) are escaped, and some more dangerous (<
,>
,"
, etc.) are not?Titles as text : Titles as html: Neither way is good.