-
Notifications
You must be signed in to change notification settings - Fork 744
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Enhancement]: Prevent writing invalid module title (such as HTML, CSS, JS) #6035
Comments
I agree in principle, however, we have many years of folks relying on being able to put HTML into the module title, so I fear that this change could break existing workflows for some folks. If we decide encoding is a better default, I would want to put that change behind some kind of flag, so that it only affects new sites (or at least allows old sites to opt into the previous behavior). |
I agree, I have seen multiple implementations where html was used in titles. Not saying this change is wrong, but it has that implication of breaking some existing sites |
Hmm, I am thinking we could make it an opt-in feature (web.config, host setting, portal setting) that way the new behavior could be ON for new installs and OFF on upgrades... I think I would prefer a site setting with a UI toggle in a perfect world, that way we can even make it off upon upgrade and one could just toggle it back on only if needed.... |
I too woudl say that this needs to at a minimum be a setting, but I think it should be allowed most likely by default due to content. I will try to have this as topic of discussion at the next TAG/Approvers meetings |
Is there an existing issue for this?
Description of problem
I think that we shouldn't set HTML or JS in the module title and should prevent writing invalid code.
Description of solution
It's very simple to solve it. we should use
WebUtility.HtmlEncode()
when update module title.Description of alternatives considered
No response
Anything else?
No response
Do you be plan to contribute code for this enhancement?
Would you be interested in sponsoring this enhancement?
Code of Conduct
The text was updated successfully, but these errors were encountered: