Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remaining inconsistencies of the color field #6183

Closed
2 tasks done
lukasbestle opened this issue Jan 22, 2024 · 0 comments · Fixed by #6195
Closed
2 tasks done

Remaining inconsistencies of the color field #6183

lukasbestle opened this issue Jan 22, 2024 · 0 comments · Fixed by #6195
Assignees
@distantnative
Milestone
4.1.0

Comments

@lukasbestle
Copy link
Member

lukasbestle commented Jan 22, 2024
edited by bastianallgeier
Loading

I have retested the state of develop-minor after #6152 with the HTML examples in the XSS lab, specifically the test cases I wrote down in the issue here: #6056 (comment)

The new implementation unfortunately still suffers from HTML rendering issues:

  • All examples except the "Color (query, defaults)" example seem to double-escape the label. So we can render the label as HTML in Vue.
  • The "Color (query, defaults)" example does not seem to double-escape, which means that the default query does not escape on the backend. If I remember correctly with the other options fields, the query mode needs to escape on the backend so that the frontend can safely render as HTML.

To reproduce:

  • Pull the latest commits of the Sandbox
  • (Re)Load the Lab environment
  • Go to the XSS page and look at the 8 color fields
    • Everything labeled "This is OK" should be rendered as HTML and displayed in green
    • The "API (with HTML)" field should also render the bold part in the label
    • No red "Malicious string" should be rendered in red
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@distantnative distantnative

Labels
None yet
Milestone
4.1.0
Development

Successfully merging a pull request may close this issue.

ColorField: proper HTML/XSS handling getkirby/kirby
2 participants
@lukasbestle @distantnative