CSP issue with AdaptiveCards

[hristop]

Hi,

We are using the MS AdaptiveCards and we have issue running our application with strict CSP, more precisely - style-src 'self' option.
https://www.w3.org/TR/CSP2/

Our issue is caused by this block of code:
https://github.com/microsoft/AdaptiveCards/blob/main/source/nodejs/adaptivecards/src/card-elements.ts
rows 1026 – 1043

As far as we could determine, this was added for an Outlook scenario requested via this issue:
#1934
and added with this pull request:
#2152

So our questions are:

1. Can you please let us know if the code block mentioned in card-elements.ts file can be considered deprecated?
2. Also, are there plans for it to be removed as per the statement in the pull request and the fact that the Inline text runs #1933 is finished and there is already way to do that with the RichTextBlock?
3. If the answer to 2 is ‘No’, could you please have a look into this issue and make it working in a strict CSP compliant way?

Why do we believe this is an issue:
The flag (GlobalSettings.allowMarkForTextHighlighting), which controls this feature and allows for the particular block of code to become executable is stored as static variable.
Someone can require the bundled file, we serve and change this for the entire application.

Best Regards,
Hristo