Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Make it clear that the "html" attribute can be unsafe

See original GitHub issue

What

We had a discussion on a design system slack channel about the documentation not to encourage the use of html parameter in macros. We concluded, we shouldn’t take away that functionality, but make it clear it’s unsafe to use, causing people to rethink the strategy or apply necessary fixes before hand.

Why

It’s more efficient to copy and paste a block of text without realising what it’s doing. It could easily bring some XSS vulnerability into the application by accident, which we’d all like to avoid.

Proposal

Changing the name of the html attribute is a good start. This will need to be followed by some documentation changes on the Design System.

Before

{% from "panel/macro.njk" import govukPanel %}

{{ govukPanel({
  "titleText": "Application complete",
  "html": "Your reference number<br><strong>HDJ2123F</strong>"
})
}}

After

{% from "panel/macro.njk" import govukPanel %}

{{ govukPanel({
  "titleText": "Application complete",
  "unsafeHTML": "Your reference number<br><strong>HDJ2123F</strong>"
})
}}

Connection

alphagov/govuk-design-system#175

Issue Analytics

State:
Created 6 years ago
Comments:24 (24 by maintainers)

Top GitHub Comments

1reaction

joelanmancommented, Aug 23, 2018

I guess the main point I’m trying to make is, html param should be an exception - if we’re having to use it commonly that seems like we could investigate that macro to meet the common need a different way. The idea of macros is to avoid people writing their own html.

1reaction

36degreescommented, Aug 23, 2018

I think we definitely can and should do more to support call, but it’s only going to be helpful for components that have one obvious ‘area’ that accepts HTML, and it won’t help where components call other components (such as passing HTML to the label that’s inside a text input).

Top Results From Across the Web

Allowing unsafe HTML in help center articles - Zendesk help

In Guide, on the sidebar, click the Settings icon ( ). Under Security, click Display Unsafe Content.

element should not contain script attribute

However, some HTML attributes, like onclick , are potentially dangerous and could cause unwanted side effects in browser-based news aggregators. In a perfect ......

Unsafe Html - Stack Overflow

I want to allow users to include html in their posts, but would like to stop any cross site scripting. My current stratagy...

8 Invalid HTML Elements You Should Stop Using Immediately »

1 Valid but Poorly Implemented. 1.1 DOCTYPE; 1.2 Identifying the Character Set · 2 HTML Elements to Stop Using Immediately · 3 Tasks...

Don't Use The Target="_Blank" Link Attribute In These Cases

The target=”_blank” link attribute is risky and opens a website to security and performance issues. Google's Web.dev page on the risks of using ......