I'm trying to use a diff library in order to log edit histories of user posts for my page. That library gives me a long JSON data for diffs to store in my database and i am using the same repository's PHP function to convert it into a tabular view with some HTML codes. Here's the sample output:
<table class="diff-wrapper diff diff-html diff-inline">
<thead>
<tr>
<th colspan="2">Differences</th>
</tr>
</thead>
<tbody class="change change-rep">
<tr data-type="-">
<th class="sign del">-</th>
<td class="old">Donec rutrum, odio id tempus consequat, nunc nisi pulvinar dolor, ac faucibus massa erat non est. Integer blandit, eros quis sodales vulputate, erat ex euismod nisl, gravida vestibulum nibh elit pretium quam. Mauris turpis tortor, lacinia vitae purus eget, vulputate testing mollis felis.</td>
</tr>
<tr data-type="+">
<th class="sign ins">+</th>
<td class="new">Donec rutrum, odio id tempus consequat, nunc nisi pulvinar dolor, ac faucibus massa erat non est. Integer blandit, eros quis sodales vulputate, erat ex euismod nisl, gravida vestibulum nibh elit pretium quam. Mauris turpis tortor, lacinia vitae purus eget, vulputate testing mollis felis
<ins> testing</ins>.
</td>
</tr>
</tbody>
</table>
And then i'm requesting this HTML data from an URL (like /post/history/{id}), rendering the response with m.trust() function. That diff library also sanitizing the HTML from the user's input just before creating JSON data so there are only <table>,<tr>,<td>,<tbody>,<thead>,<ins>,<del> tags to render in front-end.
My question is do i need to worry about this approach? Can an user step in to this HTML output just before it reaches to the m.trust() function and enter some unsanitized HTML? Is it possible to play with URL's response before things happen?
Once the code is served to the user over HTTP, the user can do anything they want with it: this is the reason, for example, that Facebook logs a message in the console to warn unexperienced users not to use dev tools to do things others have asked them to. But given the user can write and execute any sort of dangerous code they want to, I wouldn't worry about how this relates to Mithril.
In short, you have nothing to worry about if you trust the source of the code as far as you can tell - it's produced by back end code on your server so that's good enough for these purposes.
If you have more questions about the concerns in this domain, you might want to ask in the Mithril chat room : https://gitter.im/mithriljs/mithril.js?source=orgpage