add html cell #271
add html cell #271
Conversation
|
Thank you for the PR, but similar PRs have been rejected before. I don't want to make it easier for people to enable XSS security vulnerabilities. |
|
Thank you for your answer. |
|
how do you feel about having an HTML-enabled cell, but not allowing it to have an "edit mode"? |
|
No it will not. Arbitrary HTML can come from many different places, but as long as they are not allowed to be rendered as HTML, they are harmless. The main line of defence is not edit mode, it's display mode. I honestly can't think of a use case where it is preferable to allow arbitrary HTML code entered into a table cells. Why would that be useful? |
|
This use case is when one needs to display something like icons in the cell next to the string-value. Some more concrete examples:
None of the above use cases would need an edit-mode, since these cells are all intended a informational cells only. But you are right; the real issue with XSS is the rendering, not the formatting or storing. |
|
Sounds like the HTML are predefined. You can implement custom rendering yourself by extending one of the many cell types. I just don't want to make it easier for people who don't know what they are doing to hurt themselves. |
|
That's actually what I have now - custom rendering function on a custom cell type, which is generic enough to render any HTML-string. Then I have a custom formatter which decides what icon (if any) to display. It all works pretty well, and looks ver, but I was just considering contributing it back to the community since I have seen a few other comments about "how do I easily display HTML in a cell". But I can understand your concern. |
|
You can turn it into an extension and open source it ;) Call it an icon cell or something. |
|
hhm.... that's not a bad idea 👍 edit: updating link |
No description provided.