Skip to content

Unscaped html for error msg #370

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Jan 9, 2018
Merged

Unscaped html for error msg #370

merged 11 commits into from
Jan 9, 2018

Conversation

gezichenshan
Copy link
Contributor

@gezichenshan gezichenshan commented Jan 9, 2018
edited
Loading

Adding a schema property named errorUnescaped to fulfill the situation that the severside return a string with unescaped html.
see: https://jsfiddle.net/7of916d4/2/

@icebob
Copy link
Member

icebob commented Jan 9, 2018

Is it important to create a new field property? Can we use always v-html to show the error messages?

@gezichenshan
Copy link
Contributor Author

I think you are right. But I've no idea whether this always v-html will result in some XSS attack?

@icebob
Copy link
Member

icebob commented Jan 9, 2018
edited
Loading

I think XSS is not relevant here because we don't render user input texts, just error messages what comes from the developer.
@zoul0813 What do you think?

@gezichenshan
Copy link
Contributor Author

Yep, I agree with you. So I'll remove the field property and add v-html on the error part.

@icebob
Copy link
Member

icebob commented Jan 9, 2018

Ok 👍

icebob
icebob requested changes Jan 9, 2018
View reviewed changes
src/formGenerator.vue Outdated
@@ -14,8 +14,7 @@ div.vue-form-generator(v-if='schema != null')
button(v-for='btn in field.buttons', @click='buttonClickHandler(btn, field, $event)', :class='btn.classes') {{ btn.label }}
.hint(v-if='field.hint') {{ fieldHint(field) }}
.errors.help-block(v-if='fieldErrors(field).length > 0')
span(v-for='(error, index) in fieldErrors(field)', v-if='field.errorUnescaped', v-html="error", track-by='index')
span(v-for='(error, index) in fieldErrors(field)', v-if='!field.errorUnescaped', track-by='index') {{ error }}
span(v-for='(error, index) in fieldErrors(field)', v-html="error", track-by='index')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add indent

@icebob icebob merged commit 3dd7680 into vue-generators:master Jan 9, 2018
@icebob
Copy link
Member

icebob commented Jan 9, 2018

Thanks!

@gezichenshan
Copy link
Contributor Author

With pleasure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@icebob icebob icebob approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gezichenshan @icebob