Elm HTML's non-optimized XSS warning bypassed by elm-css - Githubissues

rtfeldman / elm-css

Typed CSS in Elm.

https://package.elm-lang.org/packages/rtfeldman/elm-css/latest

BSD 3-Clause "New" or "Revised" License

1.23k stars 196 forks source link

Elm HTML's non-optimized XSS warning bypassed by elm-css #568

Open omnibs opened 2 years ago

omnibs commented 2 years ago

Expected

This behaves the same when using elm/html and elm-css:

a [href "javascript:close();"] [text "hi"]

Actual

Non-optimized build

Using elm/html
- You get an alert saying "This is an XSS vector. Please use ports or web components instead."
Using elm-css
- You get a link with javascript:close(); in the href

Optimized build

The optimized build is consistent with elm/html. Both produce an empty href.

Why bother fixing

elm/html's alert cues the user that they're doing something they shouldn't be doing

With elm-css, you'll only find out you messed up once you deploy