I know that the elm compiler blocks you from putting <script> tags in HTML documents. Instead, it will switch them to <p>s:
node
"script"
[ id "MathJax-script"
, type_ "text/javascript"
, src "https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-chtml.js"
]
[]
I managed to find away around this. The compiled elm code (in my case stored in a js file), contains some special code:
// XSS ATTACK VECTOR CHECKS
function _VirtualDom_noScript(tag)
{
return tag == 'script' ? 'p' : tag;
}
The 'script' string could be replaced with 'scrip', and you can use <script> tags.
After a little research, I found out that this blocks XSS attacks. How serious is that concern? Should I use this trick to allow me to insert <script> tags?
One thing you should ask yourself is why would you want to do this? If you need to insert scripts, doing this from outside Elm is usually a more robust option anyway (for instance this allows the browser to start loading that resource before your Elm application has a chance to load/initialise).
That being said, the main reason you should worry about this is for code that you don't control. The nice thing is that Elm makes it quite difficult to execute supply chain attacks against your code. If you weaken these protections, you might make yourself vulnerable against these. However, it is fairly unlikely that someone will attempt this attack indiscriminately, as it generally won't work against anyone trying to do this.
(If you worry about being a target specifically, then you probably shouldn't be considering weakening any security feature).