so currently this is possible to add html and css into the app just by putting the raw html into it.
Like this will make all hrefs lose the text "Click to show"
paragraph "<style>.state-incomplete-text {display: none;} </style>"
I tried java script and my alert didn't pop up but I didn't put too much effort into it.
So the question here is:
Is this a bug that they will probably "fix "?
Or is this a viable way to manipulate how the app will render?
This could theoretically be taken to the point where the entire app page is replaced by a react components and it just calls the appropriate hrefs and passes in the "params" to make it functional. That is if I can get javascript working.
I think allowing HTML in app code is an intentional feature, albeit one I wish many community developers would use less of (though I wish the default stylesheet were a little better so people didn't feel tempted to do this in the first place). I wouldn't go crazy with it since the default style (and underlying class/id names, etc.) may change--these aren't documented or guaranteed--and you don't know future hub updates might affect the way your app displays, so you might eventually run into trouble with your specific example. But in general, you're likely to be fine with most things, especially simple formatting.
I don't see this as an accident; many native apps take advantage of this (e.g., RM showing you "True" or "False" or Mode Manager showing the current mode in a separate color). Even for user code, it's a reasonable assumption that if you create your own or import others', you know what you're doing and assume whatever risk. What you can't do is directly provide HTML as input to apps (in, say, a text field) if you're a user of an app (this changed a few firmware versions ago), so that should prevent any circumstances in which a user intentionally or accidentally "breaks" an app in that way. How you write or use custom code is your choice, but also your responsibility to choose wisely.
