Comments (6)
In case of a datatip, where content doesn't come only from a language server (which could still be considered a vector) or codebase itself (but is also sourced from other areas of a project, including external dependencies), I would say it's good to have.
from atom-ide-datatip.
I think security here isn't an issue. Atom runs offline and a user installs a package by themselves. using sanitize
may cause removing some HTML code that is necessary to show the content correctly.
#57
from atom-ide-datatip.
Atom runs offline
What do you mean?
a user installs a package by themselves
I wouldn't suspect a package, it runs in Atom anyway, similarly with a language server (although in this case it could get a bit more complicated), but these have dependencies.
using
sanitize
may cause removing some HTML code that is necessary to show the content correctly.
We should probably investigate first. Does atom-ide-ui
suffer from similar issue, it's using the same solution to sanitize datatip?
from atom-ide-datatip.
IMO it’s better to be secure by default. You don’t know where the input is sourced from, so you can’t be sure it’s safe. A provider doesn’t need to be malicious to send unsafe content, it could just be assuming this package will sanitise everything. The provider itself could be sourcing the content from anywhere, including online sources.
Better would be a flag on the message / provider that the provider can use to say “yeah, I claim this is safe to use without sanitising”. This means any security issues are because the provider itself is malicious (in which case it can do whatever it likes anyway), or because the provider has a bug (so unsafe unsantised content would be its concern, not this packages). I believe VS Code offers something like this.
from atom-ide-datatip.
Yes, "secure by default" is a good approach.
Message/provider setting to turn sanitising off sounds good. However, it may encourage "fixes" with least resistance, which we can prevent. Unless a convincing case reveals itself, we shouldn't hurry with implementation of the flag.
from atom-ide-datatip.
I guess the replies make sense. I will close this.
from atom-ide-datatip.
Related Issues (20)
- Scrolling on the datatips does not work HOT 1
- Set custom max-height in settings HOT 2
- Should we remove hover animation? HOT 16
- Use variable-width fonts for documentation and allow adjusting the size HOT 3
- Unwanted datatip when mouse exits editor
- Fix CSS so Datatips look more similar to Linter Tooltips
- After toggling datatip with keybinding (cmd+alt), datatips appear on mouse hover, even if disabled in settings HOT 3
- CI sometimes fails silently and proceeds when it shouldn't
- Datatip text is dark HOT 1
- Separate hover and stay time configuration HOT 1
- Uncaught TypeError: Illegal invocation
- Capability of copying text from inside the datatip HOT 8
- Failed to activate the atom-ide-datatip package HOT 1
- [Internal] Using only etch HOT 4
- Dynamic import of atom-package-deps HOT 2
- Write access to continue developing the package HOT 1
- The automated release is failing 🚨 HOT 1
- Conflict with linter-ui
- Datatip doesn't show (using python) HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from atom-ide-datatip.