Add notice about the use of html arguments in Nunjucks macros for production
#785
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
govuk-design-system-ci
temporarily deployed
to
govuk-frontend-review-pr-785
kr8n3r
force-pushed
the
add-html-in-nunjucks-arguments-messaging
branch
from
9385fb5
to
fcdd77b
Compare
govuk-design-system-ci
temporarily deployed
to
govuk-frontend-review-pr-785
kr8n3r
changed the title
html arguments in Nunjucks macros for productionhtml arguments in Nunjucks macros for production
kr8n3r
force-pushed
the
add-html-in-nunjucks-arguments-messaging
branch
from
fcdd77b
to
869e136
Compare
govuk-design-system-ci
temporarily deployed
to
govuk-frontend-review-pr-785
govuk-design-system-ci
temporarily deployed
to
govuk-frontend-review-pr-785
govuk-design-system-ci
temporarily deployed
to
govuk-frontend-review-pr-785
kr8n3r
force-pushed
the
add-html-in-nunjucks-arguments-messaging
branch
from
b97b028
to
37cbe54
Compare
govuk-design-system-ci
temporarily deployed
to
govuk-frontend-review-pr-785
36degrees
reviewed
Jun 14, 2018
app/views/layouts/readme.njk
Outdated
| @@ -1,3 +1,4 @@ | |||
| {% set nunjucksHtmlUsageMessage = '**If you’re using Nunjucks macros in production be aware that using `html` arguments, or ones ending with `Html` can be a [security risk](https://en.wikipedia.org/wiki/Cross-site_scripting).**' %} | |||
There was a problem hiding this comment.
Are there any components where this notice isn't being added? If not, is there any reason we couldn't just add this to this layout above the componentArguments block and save including this in every component?
There was a problem hiding this comment.
no, it's everywhere. updated it. thanks
kr8n3r
force-pushed
the
add-html-in-nunjucks-arguments-messaging
branch
from
37cbe54
to
431163c
Compare
govuk-design-system-ci
temporarily deployed
to
govuk-frontend-review-pr-785
NickColley
reviewed
Jun 14, 2018
app/views/layouts/readme.njk
Outdated
| @@ -1,3 +1,4 @@ | |||
| {% set nunjucksHtmlUsageMessage = '**If you’re using Nunjucks macros in production be aware that using `html` arguments, or ones ending with `Html` can be a [security risk](https://en.wikipedia.org/wiki/Cross-site_scripting).**' %} | |||
There was a problem hiding this comment.
Could we link to the Nunjucks documentation: https://mozilla.github.io/nunjucks/api.html#user-defined-templates-warning ?
kr8n3r
force-pushed
the
add-html-in-nunjucks-arguments-messaging
branch
from
431163c
to
8fceec5
Compare
govuk-design-system-ci
temporarily deployed
to
govuk-frontend-review-pr-785
kr8n3r
force-pushed
the
add-html-in-nunjucks-arguments-messaging
branch
from
8fceec5
to
5a5b4d8
Compare
govuk-design-system-ci
temporarily deployed
to
govuk-frontend-review-pr-785
kr8n3r
force-pushed
the
add-html-in-nunjucks-arguments-messaging
branch
from
5a5b4d8
to
6f32d51
Compare
govuk-design-system-ci
temporarily deployed
to
govuk-frontend-review-pr-785
kr8n3r
force-pushed
the
add-html-in-nunjucks-arguments-messaging
branch
from
6f32d51
to
2be874d
Compare
govuk-design-system-ci
temporarily deployed
to
govuk-frontend-review-pr-785
added 3 commits
June 18, 2018 16:34
And call it above the table of arguments block
kr8n3r
force-pushed
the
add-html-in-nunjucks-arguments-messaging
branch
from
2be874d
to
41e1dfa
Compare
hannalaakso
approved these changes
Jun 18, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We need to make developers aware that if they decide to use Nunjucks macros in production and use
htmlarguments or ones ending inHtmlthat render unescaped html, making it a security riskThis adds notice text before and after the table of arguments in the README file for each component.
Text is set as a variable, so it can be updated in a single place if required.
Part of this Trello ticket:
https://trello.com/c/SruPShLz/1049-add-clearer-documentation-around-text-vs-html-in-nunjucks-macros
Adresses: #514