Not following. What concerns do you have with TextArea values? IFIK, there’s no possibility of XSS attacks there.
Can you give me specific concerns you have? > On Dec 9, 2021, at 5:03 PM, Kessler CTR Mark J > <mark.kessler....@usmc.mil.INVALID> wrote: > > I am on the opposite spectrum of this opinion. We had to write our own > library on-top of the basic Royale for our applications that was more > security minded. All of our defaults are for innerText as it will not > interpret the contents or use new variants that already have security built > it such as a textarea's "value" has security considerations by default now. > This is important as cybersecurity teams or software tests can easily show > basic XSS in fields either reflected or stored. Remember the end users are > the ones that are directly affected by vulnerabilities built into a web > application and a developer that does not follow good sanitization practices > will surely allow easily preventable vulnerabilities in. > > We should always have secure defaults, but allow developers to violate good > security practices on their own as a conscious decision. > > > -Mark K
