Tickets titles: escaping characters in backend

lvlup-pro / spawn-frontend-material

Customer panel frontend for https://api.lvlup.pro

MIT License

7 stars 7 forks source link

Tickets titles: escaping characters in backend #76

Closed Libter closed 4 years ago

Libter commented 7 years ago

Why some characters (for example ') are escaped, and some more dangerous (<, >, ", etc.) are not?

Titles as text : Titles as html: Neither way is good.

SystemZ commented 7 years ago

Let's sum this up and then decide if backend need changes. Correct me if I'm wrong (slept recently only 1h).

With REST API based app, endpoint should return messages (strings) as it is. Then frontend should escape characters to prevent XSS. Backend should not alter message because it may prevent proper data analyzing.

By default Vue escapes html when using {{ }} so it should be ok.

Libter commented 7 years ago

Backend should not alter message because it may prevent proper data analyzing. I totally agree, let's just don't escape ' character.

SystemZ commented 7 years ago

To add confusion, v2 panel have it own quirks with escaping 😱 I need to add draft of submitting tickets on v3 to check if it's only v2 problem or v3 needs some work, currently it's hard to tell.