[FIX] Allow HTML in Toast content

[mrleblanc101]

Description

Allow HTML in Toast content

Related Issue

#248

Screenshots or GIFs (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• [] I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[Maronato]

Hello Sébastien! Thanks for the PR :)
While I understand the idea and motivation for allowing raw html strings, I fear that it would be a big security issue to do so, especially given that your implementation marks all strings as such.

Unfortunately, I don't feel comfortable allowing raw html by default, and I'd rather let end users implement the solution mentioned in #248 so that they can apply it only when it is safe to do so.

Thanks again for submitting the PR, though! Please do not hesitate to submit others in the future :)

[mrleblanc101]

I'm not sure I see the security issue if you have control over the API. Maybe I should add a props you are right, but I do think this should be in core, just like Nuxt Sweetalert 2 plugin. You can pass text or HTML if you know you have control over the content or if you know the content is correctly sanitized.

It's the same issue as v-html in general. Are you suggesting that Vue should drop v-html which is very commonly used ?

I find it very cumbersome to have to create a custom component just for that in every project.

[Maronato]

The vulnerability here is XSS. Vue's docs warns about the dangerous nature of v-html and makes it clear that it should never be used with user-generated content.

You might say that users of vue-toastification are not at risk because they control what is displayed, but that's not entirely true. What if you want to display something like ${username} liked your post!? The username is user-generated and a bad actor may use v-html to load a malicious script into the page.

This is a tiny and simple UI library. Users of it should not need to know implementation details to avoid vulnerabilities in their projects. The risks far outweigh the benefit of not having to create a custom component.

[mrleblanc101]

The risk is the same as using v-html in general. Why is it ok for vue to include this but not this package ?

What is ok for vue should be ok for this plugin. As I said the HTML could be a different prop like in sweetalert and clearly documented and it wouldn't be an issue.

[mrleblanc101]

What if I add an allowUnsafeHtml props ? Sound like it make it clear and prevent having to recreate a custom component (by duplicating the default component) just for that.
I pushed an update to the MR.