Snippets need to be able to include some HTML in messages such as links, bold/italic styling, etc. For example: { "content": { "text": "Click this <a href='https://mozilla.org/whatever'>link</a>!" } } We should allow some tags and attributes to be rendered in a secure way. This could include React elements as well as standard DOM elements. Perhaps we could do something along the same lines of what the fluent project is using? [1] [1] https://github.com/projectfluent/fluent.js/blob/8e4f284e04b9333393da8c66dca46d82f3e60b57/fluent-react/src/markup.js#L5

(In reply to Kate Hudson :k88hudson from comment #0) > We should allow some tags and attributes to be rendered in a secure way. > This could include React elements as well as standard DOM elements. Are you going to support _some_ tags or all HTML. Right now Snippets does not limit the included HTML

We're only going to support only a whitelist for security reasons and to make sure we're keeping with the design parameters of the template (for example, we wouldn't allow style or script tags). To what extent is HTML used now? Is it mostly for anchor tags / bold / italic / underline, or are there more complex use cases currently?

(In reply to Kate Hudson :k88hudson from comment #2) > We're only going to support only a whitelist for security reasons and to > make sure we're keeping with the design parameters of the template (for > example, we wouldn't allow style or script tags). To what extent is HTML > used now? Is it mostly for anchor tags / bold / italic / underline, or are > there more complex use cases currently? I think supporting the basic tags you list should be enough. Could we get a document of all the supported tags so we can validate on our side?

That sounds like a good idea,:andreio can you add a list of supported html tags to the docs somewhere when you implement this?

So the following tags are allowed: i, b, u, strong, em, br If an element that is not on the list is used, the text content will be extracted and displayed. Grouping multiple allowed elements is not possible, only the first level will be used: “<u><b>text</b></u>” will be interpreted as “<u>text</u>”. Links are more difficult with fluent because you cannot pass href attributes. Here is an example of how snippets would have to provide content: { "text": "Here is a <downloadLink>download link</downloadLink> and here is our <privacyLink>privacy notice</privacyLink>." "links": { "downloadLink": { "url": "https://..." }, "privacyLink": { "url": "https://..." } } } This format would allow us to do 1 or more links using fluent. Let me know if this works with snippets-service.

Agreed on the format and the allowed tags. FTR this way of A HREF formatting is to help translations and it's equivalent to the {% trans link=http://example.com %} blocks we use in Jinja.

Andrei can you please update the message schemas to capture this?

PR https://github.com/mozilla/activity-stream/pull/4180

The links should allow for custom metric type, i.e. something different than 'click'. The current system workings are documented here: - https://abouthome-snippets-service.readthedocs.io/en/latest/developing.html#custom-metric-pings I suggest that we include this in the schema as: { "text": "Here is a <downloadLink>download link</downloadLink> and here is our <privacyLink>privacy notice</privacyLink>." "links": { "downloadLink": { "url": "https://..." "metric": "download-click" }, "privacyLink": { "url": "https://..." } } } If 'metric' does not exist, it must default to 'click'.

Andrei, I just talked to nan and it sounds like you two were talking about using the "value" field for this kind of custom metric type, which sounds good to me. Are you going to add that in this PR or do it a follow-up?

The schema for the message giorgos posted looks good to me btw

Follow up work done in https://github.com/mozilla/activity-stream/pull/4196

Commit pushed to master at https://github.com/mozilla/activity-stream https://github.com/mozilla/activity-stream/commit/75050a9ade903ac12c28dd18391048f05c2d51a9 Fix Bug 1457233 - Allow AS router message content to include subset of HTML

Commit pushed to master at https://github.com/mozilla/activity-stream https://github.com/mozilla/activity-stream/commit/f76b02e603b61cc9adcf71356213fe783390dfdb Fix Bug 1457233 - Use custom metric attributes for links