Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Always sanitize unless explicitly told not to
See original GitHub issueI want Quasar to be secure by default so I’m starting this discussion to get options like display-value-sanitize deprecated in favor of no-display-value-sanitize.
In the security section you read stuff like
If you are not customizing menu-related scoped-slots (i.e. option scoped slot), DO prevent the component from rendering HTML in the labels and sublabels with one or more of the sanitize properties.
and
Many developers have asked that the Loading plugin be able to display HTML, so this was enabled by default, but if you are worried, DO add sanitize: true and you removed the vector.
You can also read that components that are made for displaying user-supplied data like QChatMessage is allowing XSS attacts by default.
This is in my opinion crazy. It will give Quasar a bad reputation because most developers don’t read docs for intuitive frameworks unless they see a problem. Forgetting to sanitize is in most cases an invisible problem but seeing plain text html when you want it to render is not.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:3
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@rognstad Done. Quasar 2 (with Vue 3) will sanitize by default unless not told to.
I’m strongly in favor of a breaking change on this with Quasar v2.
At a minimum, it seems like the QSelect and QChatMessage docs should have a huge red warning at the top of the page that they are insecure by default. (And sorry to necro this 😕)