Using HTML in a bootstrap 4 toast

I have a project made a few years ago which is still using BS4. I've recently updated everything to AC2 and it's working fine apart from the toasts. I have some HTML in the message (mainly an href) but it's no longer being rendered and the raw html is being shown instead.

How can I get it to render html again?

We now sanitize all content to prevent xss injections. I've added an extra option to allow HTML for the message which will just set innerHTML. Default it will be disabled.

2 Likes

I must have missed this update, but wahoo! I've been using an HTML sanitizer on projects.

Is there any more info about the built-in sanitation?

Sorry, not exactly the correct wording. We don't sanitize the html but we escape it and just set it as text instead. In the old version we did set the message using innerHTML on the node which is not safe, we do not do that anymore. So you always have to explicit tell that you want to set it as html.

I wanted to support DOMPurify (github.com) for the places where html is injected, but currently to many users depend on scripts and custom elements/attributes to be injected. If you use dmx-html or the new Use HTML option for the toasts it will insert unsafe html without escaping or sanitizing. So having your own sanitizer formatter function is a good thing to have, especially when the content is generated from user input.

Gotcha - thanks for the explanation Patrick, that makes sense - I'll keep using a sanitizer in that case :slight_smile:

I've updated to 6.5.5 but I can't see any reference to HTML. Can you give me a steer on where it is? Cheers.

Fixed in Wappler 6.5.5

Can you give me a screenshot where to find this? I've updated but can't see it anywhere. Cheers.

This topic was automatically closed after 36 hours. New replies are no longer allowed.