Comments (3)
amdw
commented on July 28, 2024
Links in objectives should probably be unclickable and differently-coloured in edit mode, because it would be ambiguous whether clicking a link in an objective would open the link or edit the objective.
The edit dialog should contain a preview of the rendered objective and notes.
All links should open in a new window/tab.
from peoplemath.
amdw
commented on July 28, 2024
I should also note here that security would be a major consideration in deciding how to implement this.
Content would have to be put through some sort of rendering library in the client, and then the resulting HTML included in the DOM, through an innerHTML binding or similar. This raises the potential for XSS vulnerabilities.
I believe Angular has some sanitization functionality that would help mitigate against this. However, I'd want to seek a security review of the proposed approach before implementing if possible, just to make sure I haven't missed anything.
https://angular.io/guide/security#preventing-cross-site-scripting-xss
from peoplemath.
amdw
commented on July 28, 2024
I asked for some security advice internally regarding this feature.
I was told that we should be able to trust Angular's built-in sanitizer to mitigate XSS vulnerabilities that might otherwise arise from passing untrusted input to a Markdown library (most of which don't seem to sanitize their outputs -- e.g. Marked docs, Showdown docs).
It was also suggested that I could consider coupling this with DOMPurify in a restrictive configuration. This would add a further defence in depth against XSS vulnerabilities, as well as providing an easy way to restrict the Markdown features used, via a HTML tag allow-list.
The intent of this feature is basically just to enable the user to add very simple formatting like italics, bold and links; I wouldn't want to allow, for example, large heading tags to be injected in objectives by Markdown ## directives or similar. So overall this seems like quite an attractive approach.
DOMPurify would also allow us to achieve other things, like ensuring all links open in a new window. It should also be able to strip links in edit mode.
from peoplemath.
Related Issues (20)
- Switch to modular AngularFire APIs HOT 2
- Better objective notes display in read-only mode (e.g. click-to-expand)
- Consider merging the edit and reordering modes HOT 1
- Add buttons to change effort estimates inline
- Angular 13 upgrade HOT 2
- Automatic backup of period changes (e.g. to defend against UI bugs, or for an undo feature)
- Pass models.Period around by pointer
- Flaky tests in Cloud Build (Async function did not complete within 5000ms) HOT 1
- Allow new objectives to be created at the bottom or top of the bucket
- Add a mechanism for deleting teams and periods
- Move off @angular/flex-layout
- Add request link to objectives
- Improved concurrent editing experience for periods
- Allow bucket allocation limits to be fixed in absolute terms HOT 3
- Allow user to specify bucket allocation rationale
- Add shortcut buttons for moving an objective around a bucket
- Warn user when bucket percentages add up to less than 100%
- Allow objectives to be edited in assignments-by-person view
- Show percentages of total resources in summary report
- Provide button to fix bucket allocation limit down to specific objective
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from peoplemath.