Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Search] Security: preserveHTML should be false by default #3145

Open
dreaming-augustin opened this issue Dec 24, 2024 · 1 comment
Open

[Search] Security: preserveHTML should be false by default #3145

dreaming-augustin opened this issue Dec 24, 2024 · 1 comment
Labels
tag/breaking-change Any pull request which is waiting for a breaking change release type/feat Any feature requests or improvements
Milestone
2.10.x

Comments

@dreaming-augustin
Copy link
Contributor

The Search documentation on Security says it plainly:
https://fomantic-ui.com/modules/search.html#/security

The default (thus omitted) setting preserveHTML:true in the first example results in instantly getting an alert message
It also injects hidden code into an additional click event handler on a search item (marked red).

Fomantic-UI should be safe and secure out of the box, and promote secure coding practices, as well as document them.

preserveHTML should be set as false by default. Developers should knowingly and purposefully set it to true, after they have considered the implications and made sure that the data they inject is indeed secure with strings properly escaped.

This would be a breaking change, as websites may depend on the current preserveHTML default value. However, it should be set to false, and a proper advisory (release note) given.

I can prepare a PR for code and documentation if this move is agreed in principle.
@dreaming-augustin dreaming-augustin added state/awaiting-investigation Anything which needs more investigation state/awaiting-triage Any issues or pull requests which haven't yet been triaged type/bug Any issue which is a bug or PR which fixes a bug labels Dec 24, 2024
@dreaming-augustin
Copy link
Contributor Author

Maybe we can consider the following issue at the same time. They are related because they deal with safe theming issues. We must establish and properly document a safe theming workflow for Search, Dropdown and other related API.

[dropdown] dedicated template function #1855

@lubber-de lubber-de added type/feat Any feature requests or improvements tag/breaking-change Any pull request which is waiting for a breaking change release and removed type/bug Any issue which is a bug or PR which fixes a bug state/awaiting-investigation Anything which needs more investigation state/awaiting-triage Any issues or pull requests which haven't yet been triaged labels Dec 24, 2024
@lubber-de lubber-de added this to the 2.10.x milestone Dec 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tag/breaking-change Any pull request which is waiting for a breaking change release type/feat Any feature requests or improvements
Projects
None yet
Milestone
2.10.x
Development

No branches or pull requests
2 participants
@dreaming-augustin @lubber-de