-
Notifications
You must be signed in to change notification settings - Fork 332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add notice about the use of html
arguments in Nunjucks macros for production
#785
Conversation
9385fb5
to
fcdd77b
Compare
html
arguments in Nunjucks macros for productionhtml
arguments in Nunjucks macros for production
fcdd77b
to
869e136
Compare
b97b028
to
37cbe54
Compare
app/views/layouts/readme.njk
Outdated
@@ -1,3 +1,4 @@ | |||
{% set nunjucksHtmlUsageMessage = '**If you’re using Nunjucks macros in production be aware that using `html` arguments, or ones ending with `Html` can be a [security risk](https://en.wikipedia.org/wiki/Cross-site_scripting).**' %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any components where this notice isn't being added? If not, is there any reason we couldn't just add this to this layout above the componentArguments
block and save including this in every component?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, it's everywhere. updated it. thanks
37cbe54
to
431163c
Compare
app/views/layouts/readme.njk
Outdated
@@ -1,3 +1,4 @@ | |||
{% set nunjucksHtmlUsageMessage = '**If you’re using Nunjucks macros in production be aware that using `html` arguments, or ones ending with `Html` can be a [security risk](https://en.wikipedia.org/wiki/Cross-site_scripting).**' %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we link to the Nunjucks documentation: https://mozilla.github.io/nunjucks/api.html#user-defined-templates-warning ?
431163c
to
8fceec5
Compare
8fceec5
to
5a5b4d8
Compare
5a5b4d8
to
6f32d51
Compare
6f32d51
to
2be874d
Compare
And call it above the table of arguments block
2be874d
to
41e1dfa
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed with team, we want to test this approach and might revisit the solution in the next quarter.
For now, this addresses the points raised in the Trello card.
We need to make developers aware that if they decide to use Nunjucks macros in production and use
html
arguments or ones ending inHtml
that render unescaped html, making it a security riskThis adds notice text before and after the table of arguments in the README file for each component.
Text is set as a variable, so it can be updated in a single place if required.
Part of this Trello ticket:
https://trello.com/c/SruPShLz/1049-add-clearer-documentation-around-text-vs-html-in-nunjucks-macros
Adresses: #514