ianhaycox
commented
3 years ago After discussions with Rick and Calvin, it has been decided to change the default to allow scripting so we don't break customers. However - the default player has been modified to prevent scripting by default https://github.com/manywho/ui-html5/pull/58 This is to try to ensure new customers/flows are protected from XSS attacks out of the box. Generally it is expected that most production Flows do not use the default Player, so customers will need to enable the disableScripting setting in their custom players to be safe.
Ensure any user entered input has dangerous Javascript removed before rendering in the presentation components.
For example,
<img src="x" onerror=alert(1) />converts to,<img src="x">See https://github.com/cure53/DOMPurify for details.