No I was using the TextArea.value as an example of the web standards finally including some built in protection while as the older input styles still need to catch up.
-Mark K -----Original Message----- From: Harbs <harbs.li...@gmail.com> Sent: Thursday, December 9, 2021 10:33 To: dev@royale.apache.org Subject: [Non-DoD Source] Re: 0.9.9 Not following. What concerns do you have with TextArea values? IFIK, there’s no possibility of XSS attacks there. Can you give me specific concerns you have? > On Dec 9, 2021, at 5:03 PM, Kessler CTR Mark J > <mark.kessler....@usmc.mil.INVALID> wrote: > > I am on the opposite spectrum of this opinion. We had to write our own > library on-top of the basic Royale for our applications that was more > security minded. All of our defaults are for innerText as it will not > interpret the contents or use new variants that already have security built > it such as a textarea's "value" has security considerations by default now. > This is important as cybersecurity teams or software tests can easily show > basic XSS in fields either reflected or stored. Remember the end users are > the ones that are directly affected by vulnerabilities built into a web > application and a developer that does not follow good sanitization practices > will surely allow easily preventable vulnerabilities in. > > We should always have secure defaults, but allow developers to violate good > security practices on their own as a conscious decision. > > > -Mark K
