Skip to content

[Search] Security: preserveHTML should be false by default #3145

Open
Open
[Search] Security: preserveHTML should be false by default#3145
Labels
fixed in next-release/nightlyAny issue which has a corresponding PR which has been merged and is available in the nightly buildtag/breaking-changeAny pull request which is waiting for a breaking change releasetype/featAny feature requests or improvements
Milestone
2.10.0
@dreaming-augustin

Description

@dreaming-augustin
dreaming-augustin
opened on Dec 24, 2024

The Search documentation on Security says it plainly:
https://fomantic-ui.com/modules/search.html#/security

The default (thus omitted) setting preserveHTML:true in the first example results in instantly getting an alert message
It also injects hidden code into an additional click event handler on a search item (marked red).

Fomantic-UI should be safe and secure out of the box, and promote secure coding practices, as well as document them.

preserveHTML should be set as false by default. Developers should knowingly and purposefully set it to true, after they have considered the implications and made sure that the data they inject is indeed secure with strings properly escaped.

This would be a breaking change, as websites may depend on the current preserveHTML default value. However, it should be set to false, and a proper advisory (release note) given.

I can prepare a PR for code and documentation if this move is agreed in principle.

Metadata

Metadata

Assignees

No one assigned

    Labels

    fixed in next-release/nightlyAny issue which has a corresponding PR which has been merged and is available in the nightly buildtag/breaking-changeAny pull request which is waiting for a breaking change releasetype/featAny feature requests or improvements

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions