-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document proper use of RawHTML, escape-html, decodeEntities, etc #13156
Comments
Something overlooked in the original discussion is that plugin devs are building React apps outside of the editor, but which use Gutenberg's abstraction layer and components (for compatibility, future-proofness, visual consistency, etc). In those cases, it's very important for us to understand that Consider this example with internationalized strings that contain necessary HTML: <p id="qni-instructions">
<RawHTML>
{ sprintf(
__( 'Use the <code>%1$s</code> and <code>%2$s</code> keys to navigate, and press <code>%3$s</code> to open a link.', 'quick-navigation-interface' ),
shortcuts.previousLink.label,
shortcuts.nextLink.label,
shortcuts.openLink.label
) }
</RawHTML>
</p>
Security best practices and React's own philosophy states that, "it should be 'easy' to make things safe, and developers should explicitly state their intent when performing 'unsafe' operations. The prop name I think it should be renamed back to I feel like there also needs to be an officially recommended/documented way to handle examples like the above. Perhaps that's using DomPurify? HTML within localized strings feels like such a common situation (including within Core) that we might want to provide a core wrapper around it, though, similar to what we do with Moment.js. |
Having proposed the name originally, I certainly understand and agree with this sentiment. And on reflection, I'm not sure
This may be the more important point: Developers shouldn't find themselves reaching for a tool like The specific example you provide is acknowledged as a required feature for internationalization, tracked at #9846 with some discussion there for how it might be implemented without needing |
Yeah, but it can become a wrapper for The sooner we do that, the fewer devs will be impacted.
Thanks! I missed that.
I agree, but I don't think the two are mutually exclusive, and we'll never be able to provide alternatives for all the the times when people need |
Removing 'Needs Technical Feedback' as this seems to have already been discussed. |
Is this still valid? Is this something we should work to document in the Block Editor Handbook? I wasn't able to find anything about sanitization, XSS, etc in that handbook, only the general security section in the common APIs handbook |
XSS vulnerabilities are very common in plugins, but there's almost no documentation about how to protect against them when building blocks.
RawHTML
is only mentioned in passing, anddecodeEntities
isn't mentioned at all.I think it's important to provide guidance on when to use each of those, how to use them (with examples), and also when not to use them.
It's true that in the context of an editor, protection may not be needed as often, but I think that makes it even more important to have good documentation. Otherwise, devs will be confused about when it's needed, especially when many are already overwhelmed by all the unfamiliar things they're learning right now.
The text was updated successfully, but these errors were encountered: