Use XSS sanitization on HTML inputs, consider using front-end templating (or at least custom templating)

Question

Use XSS sanitization on HTML inputs, consider using front-end templating (or at least custom templating)

Closed this issue 4 years ago · 0 comments

Given that the data for the column specs can (& should) be passed around, inherited from other pacakges, etc, naively rendering this represents an XSS vulnerability.

A frontend XSS sanitization library should be used on any html that comes from an untrusted source is rendered. I'll probably use DOMPurify.

I'll probably have to write a wrapper for render_drake_graph that attaches the dependency to the widget.