HTML Injection: Bug or Feature?

We were debating whether to fix this “bug” or not. On the one hand this could be used to create cool stuff without using JS tabs. On the other hand this could be used for malicious purpose, though in the case of the plugin published on this can be avoided by checking the plugin before publishing it.

Fixing this bug will also cause some plugins not to work anymore.

So, who’s for fixing this bug, and who’s against it?

Which ones ?
Only those using HTML injection or even others ?

Fix it. You have a reputation to keep.

Only those using HTML injection, of course.

I say fix it. Is there any alternatives for the plugins that use it to still provide their data?

  • Garrett

Fix all security bugs known so far ASAP.

Reviewing the plugin code doesn’t help: what about HTML code that dynamically loads data from the internet?

IIRC, fixing HTML injection will (partly) break AUC, DAD, DSS, GWC, LSI, WAI.

Fix it. You’ve made bold statements on timelines to address security vulnerabilities, and this one is long overdue by your own documented timelines.

Even though I have though about abusing this bug… I have a strong vote for please fix it!

I would say fix it but at the same time give some extra control types so that developers do not have to use this. For instance a img control that can load and show a custom image in a dashboard based on a HTML src coming from a variable.

Btw is there any doc on JavaScript tab and how to use jquery code in it ? How to hook in some code in the page $.ready(). Could be cool to be able to use jquery plugin to build custom device dashboards.

My vote: fix it.