WYSIWYG (Quill) and XSS about wink HOT 5 CLOSED

I thought about it before releasing but I don't want to remove such flexibility from Wink just to protect you form yourself or your team. I want you to be able to embed anything in the editor (Tweet, Instagram Post, YouTube Video, ServiceThatIsNotPopular Embeddable card, etc...)

With that comes risk yes, but if there's no trust between you and your team there's more harm than XSS can be done :)

from wink.

A cleaver way might be if we leave the option to the user, let's say we add "activate XSS protection" as a boolean value in the config, what do you think?

from wink.

@themsaid Fair enough... I would still add a mention somewhere as there might exists some sneaky 2 stage attacks this behaviour helps a lot.

But to be fair, HTMLPurifier could be use to remove at least the blatant js hacks based on html attributes and script tags. It wouldn't prevent you from using iframes and the rest for embeded cards.

With that comes risk yes, but if there's no trust between you and your team there's more harm than XSS can be done :)

Do you trust anyone you work with to be good with computer and never leave their logged in phone on a table ? Even without malice, a naive team member can do harm in this setup.

Once again, your call, but I'd add a disclaimer.

from wink.

@Lelectrolux I think I'm going to close this for now since I'm not really willing to disable the HTML embeds, but adding a note about it in the docs is a good idea. Will make sure I do that when the docs are ready.

Thanks :)

from wink.

Have a nice day.

from wink.