Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Picker组件column中text值传入html代码会执行 #4270

Closed
xycd1996 opened this issue Aug 28, 2019 · 6 comments
Closed

Picker组件column中text值传入html代码会执行 #4270

xycd1996 opened this issue Aug 28, 2019 · 6 comments
Labels
💡 feature
Milestone
2.1.8

Comments

@xycd1996
Copy link

Picker组件column中text值传入html代码会执行,建议采用innerText进行文本插入防止XSS
@chenjiahan
Copy link
Member

这个属于 breaking change 了,会在 3.0 版本里修改,默认使用 text,通过选项开启 html

@chenjiahan chenjiahan added this to the 3.0.0 milestone Aug 28, 2019
@xycd1996
Copy link
Author

因项目上线需要,我在2.x基础上直接PickerColumn.js中将
"domProps": { "innerHTML": _this2.getOptionText(option) }
修改为:
"domProps": { "innerText": _this2.getOptionText(option) }
是否会造成其它不可预知的错误?

@chenjiahan
Copy link
Member

理论上不会有问题

@xycd1996
Copy link
Author

好的谢谢

@chenjiahan chenjiahan mentioned this issue Aug 28, 2019
Merged
@chenjiahan
Copy link
Member

下个版本会加一个属性allow-html来控制是否允许 HTML 内容

@chenjiahan chenjiahan modified the milestones: 3.0.0, 2.1.8 Aug 28, 2019
@chenjiahan
Copy link
Member

已在 2.1.8 版本支持

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
💡 feature
Projects
None yet
Milestone
2.1.8
Development

No branches or pull requests
2 participants
@chenjiahan @xycd1996