Should dashboard buttons allow html rather than just text?

[pjvandehaar]

Right now,

• component.text is plain text. I'd like to use HTML for glyphicons but don't need it.
• component.title is plain text
• title_component.title is html
• menu_component.button_html is plain text
• menu_component.menu_html is html
• covariates_component.button_html is plain text

Should all of these allow arbitrary HTML?

[Frencil]

All of the above should be safe to be interpreted as HTML. In general, any element being defined by the layout that's outside of the SVG context (so dashboard elements, tooltips, etc.) should accept arbitrary HTML where they accept arbitrary stings.

The only exception would be places where strings are being used for title attributes (e.g. LocusZoom.Dashboard.Component.Button.title) as HTML doesn't make sense in that context.

XSS is not a concern here... any <script> tags pumped through LZ's HTML generation methods would not be executed as browsers don't automatically execute dynamic script tags. And since everything's client-side anyway if somebody really wanted to execute arbitrary JS they certainly could without needing to use LZ's HTML passthroughs.

[pjvandehaar]

Thanks for explaining about the XSS. I always assumed the browser evaluated scripts on node.innerHTML = string, but apparently that's jquery here, not documented.

[Frencil]

Fixed in a39f647, will be included in v0.5.7.