Expected
This behaves the same when using elm/html and elm-css:
a [href "javascript:close();"] [text "hi"]
Actual
Non-optimized build
- Using elm/html
- You get an alert saying "This is an XSS vector. Please use ports or web components instead."
- Using elm-css
- You get a link with
javascript:close(); in the href
Optimized build
The optimized build is consistent with elm/html. Both produce an empty href.
Why bother fixing
elm/html's alert cues the user that they're doing something they shouldn't be doing
With elm-css, you'll only find out you messed up once you deploy
Expected
This behaves the same when using
elm/htmlandelm-css:Actual
Non-optimized build
javascript:close();in thehrefOptimized build
The optimized build is consistent with
elm/html. Both produce an emptyhref.Why bother fixing
elm/html'salertcues the user that they're doing something they shouldn't be doingWith
elm-css, you'll only find out you messed up once you deploy