Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Elm HTML's non-optimized XSS warning bypassed by elm-css #568

Open
omnibs opened this issue Mar 1, 2022 · 0 comments
Open

Elm HTML's non-optimized XSS warning bypassed by elm-css #568

omnibs opened this issue Mar 1, 2022 · 0 comments

Comments

@omnibs
Copy link

omnibs commented Mar 1, 2022

Expected

This behaves the same when using elm/html and elm-css:

a [href "javascript:close();"] [text "hi"]

Actual

Non-optimized build

  • Using elm/html
    • You get an alert saying "This is an XSS vector. Please use ports or web components instead."
  • Using elm-css
    • You get a link with javascript:close(); in the href

Optimized build

The optimized build is consistent with elm/html. Both produce an empty href.

Why bother fixing

elm/html's alert cues the user that they're doing something they shouldn't be doing

With elm-css, you'll only find out you messed up once you deploy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant