Comments (5)
Definitely. It actually is fixed in the arrow-refactor-2
branch (as well as a bunch of perf improvements). However, that said, arrow is still an experiment and I’m looking for the right tradeoffs to make. There will likely be a arrow-refactor-3
branch perhaps even a 4th as we try to path find here.
from arrow-js.
This is also generally only a problem with third party data. Most people don’t XSS attack themselves. Still useful to be aware of.
from arrow-js.
Will these be fixed?
from arrow-js.
@justin-schroeder thanks for the update. Do you have a sense of when the next version would be released / how breaking it would be? Is there a good way to follow progress? I'm starting a new project and interested in trying Arrow. Curious what the upcoming changes and timelines are like.
@cferdinandi the code you show has these hard-coded into the templates themselves. I'm more worried about an XSS attack where I include some data as text content and arrow fails to escape it such that it injects tags/behavior onto the page. Have you seen anything like that? Am I thinking about this the right way?
from arrow-js.
@madelson That's exactly right! I hard-coded them just for example purposes, but in real-life situations, the danger is user-generated or API-derived data that you use in your templates containing malicious code.
from arrow-js.
Related Issues (20)
- Component from the DOM HOT 5
- TypeScript type for nested, optional reactive objects is broken HOT 1
- FYI: textarea behavior is very funky if you try to put HTML inside it rather than using the 'value' attribute HOT 2
- [Question] Are there ways to integrate with hyperscript interfaces? HOT 4
- Script throwing "Illegal Invocation" when adding an object to a reactive array HOT 2
- How does watch function work? HOT 2
- Dark mode flashbang 🫣 HOT 1
- Rewrite a reactive property which has $on event throw error
- [bug] Docs navigation indicator is bugged scrolling past "Getting Started" HOT 1
- Element property syntax not working HOT 1
- Map, Set, WeakMap, WeakSet can't be wrapped successfully HOT 4
- Nested template being called unexpectedly HOT 2
- Array of text boxes without a good key? HOT 2
- Poor performance? HOT 1
- What are the rules for `reactive`? Can I use es2015 classes in my "state" HOT 4
- Binding reactively to array length HOT 2
- How to unwatch HOT 2
- Component that changes a sub-property of its own state object by async method re-renders the whole component in an infinite loop HOT 6
- Can it support the CommonJS
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from arrow-js.