You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Atm, those formats both act the same in QmlWeb and both allow arbitrary HTML. That should be fixed to allow displaying only the documented subset of tags and attributes in each case.
That should be done either using a thirdparty sanitizer with an appropriate ruleset or setting the content also through generating safe DOM instead of directly assigning innerHtml.
The text was updated successfully, but these errors were encountered:
Previous discussion: #407, d439145.
Atm, those formats both act the same in QmlWeb and both allow arbitrary HTML. That should be fixed to allow displaying only the documented subset of tags and attributes in each case.
See Text#text and Text#textFormat.
That should be done either using a thirdparty sanitizer with an appropriate ruleset or setting the content also through generating safe DOM instead of directly assigning
innerHtml
.The text was updated successfully, but these errors were encountered: