Comments (3)
Frencil
commented on August 16, 2024
All of the above should be safe to be interpreted as HTML. In general, any element being defined by the layout that's outside of the SVG context (so dashboard elements, tooltips, etc.) should accept arbitrary HTML where they accept arbitrary stings.
The only exception would be places where strings are being used for title attributes (e.g. LocusZoom.Dashboard.Component.Button.title) as HTML doesn't make sense in that context.
XSS is not a concern here... any <script> tags pumped through LZ's HTML generation methods would not be executed as browsers don't automatically execute dynamic script tags. And since everything's client-side anyway if somebody really wanted to execute arbitrary JS they certainly could without needing to use LZ's HTML passthroughs.
from locuszoom.
pjvandehaar
commented on August 16, 2024
Thanks for explaining about the XSS. I always assumed the browser evaluated scripts on node.innerHTML = string, but apparently that's jquery here, not documented.
from locuszoom.
Frencil
commented on August 16, 2024
Fixed in a39f647, will be included in v0.5.7.
from locuszoom.
Related Issues (20)
- Update docs for pre-release 14
- LocusZoom.js - Unable to use custom adapter for LocusZoom data source HOT 7
- Missing SNP but LD pattern present HOT 1
- Show fewer labels for GWAS catalog view
- Zoom/scroll events not firing in safari
- Improve rendering and readability of labels
- Is it possible to reference custom data fields in the LocusZoom tooltip? HOT 4
- Widget `zoom_region` fails HOT 12
- Error if `region_nav_plot` is attached to a panel rather than the plot HOT 7
- Resulting SVG has black background during conversion to PDF HOT 3
- [Question] Update a `set_state` widget value when the state changes HOT 5
- TypeScript types HOT 3
- Floating point error with high -log10 p-values? HOT 3
- JS formatter HOT 2
- Manhattan plot and LocusZoom plot on the same page HOT 1
- Missing SNP HOT 2
- Can't compile LocusZoom with `npm run build` HOT 2
- Is possible to load local burden test by locuszoom.js ? HOT 5
- UMich SPH server is down? HOT 5
- Inconsistent gene names found in UMich data API
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from locuszoom.