elm-css icon indicating copy to clipboard operation
elm-css copied to clipboard
verified publisher icon rtfeldman

Elm HTML's non-optimized XSS warning bypassed by elm-css

Open omnibs opened this issue 3 years ago • 0 comments

Expected

This behaves the same when using elm/html and elm-css:

a [href "javascript:close();"] [text "hi"]

Actual

Non-optimized build

  • Using elm/html
    • You get an alert saying "This is an XSS vector. Please use ports or web components instead."
  • Using elm-css
    • You get a link with javascript:close(); in the href

Optimized build

The optimized build is consistent with elm/html. Both produce an empty href.

Why bother fixing

elm/html's alert cues the user that they're doing something they shouldn't be doing

With elm-css, you'll only find out you messed up once you deploy

omnibs avatar Mar 01 '22 18:03 omnibs