Add HTML-to-text fallback section to secure coding guidelines

What does this MR do and why?

Originated from Teach Duo code review to catch (and not suggest... (!245810).

  • Adds a section on HTML-to-text fallbacks to the secure coding guidelines, under the XSS section, as well as two relevant examples.
  • Also tightens the guidelines surrounding v-html (do NOT use: we have an lint preventing additions, and while you can skip it, the fact that there are a TOTAL of 5 uses in our whole codebase is for a reason) and v-safe-html (you may use it for user-controlled data ONLY when it's been sanitised by the backend first). Right now it dangerously suggests it's fine to use with arbitrary user-controlled data! It isn't!
  • Also removes an inaccurate comment I found while surveying our v-html uses (it says a given component needs to use v-html for such-and-such a reason, but it was ported to v-safe-html 5 years ago!).

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Asherah Connor

Merge request reports

Loading