Add HTML-to-text fallback section to secure coding guidelines
What does this MR do and why?
Originated from Teach Duo code review to catch (and not suggest... (!245810).
- Adds a section on HTML-to-text fallbacks to the secure coding guidelines, under the XSS section, as well as two relevant examples.
- Also tightens the guidelines surrounding
v-html(do NOT use: we have an lint preventing additions, and while you can skip it, the fact that there are a TOTAL of 5 uses in our whole codebase is for a reason) andv-safe-html(you may use it for user-controlled data ONLY when it's been sanitised by the backend first). Right now it dangerously suggests it's fine to use with arbitrary user-controlled data! It isn't! - Also removes an inaccurate comment I found while surveying our
v-htmluses (it says a given component needs to usev-htmlfor such-and-such a reason, but it was ported tov-safe-html5 years ago!).
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Asherah Connor