refactor button controller

- remove custom blade compiler
- remove safe eval
- use laravel blade to render the view

src/Http/Controllers/ButtonController.php

@@ -3,40 +3,29 @@
 namespace WireUi\Http\Controllers;
 
 use Illuminate\Http\Response;
+use Illuminate\Support\Facades\Blade;
 use Illuminate\View\ComponentAttributeBag;
 use WireUi\Http\Requests\ButtonRequest;
-use WireUi\Support\BladeCompiler;
 
 class ButtonController extends Controller
 {
-    private BladeCompiler $compiler;
-
-    public function __construct(BladeCompiler $compiler)
-    {
-        $this->compiler = $compiler;
-    }
-
     public function __invoke(ButtonRequest $request): Response
     {
-        $blade = <<<EOT
+        $blade = <<<'BLADE'
             <x-dynamic-component
                 :component="WireUi::component('button')"
-                {$this->attributes($request->all())->toHtml()}
+                :attributes="$attributes"
             />
-        EOT;
+        BLADE;
+
+        $attributes = new ComponentAttributeBag($request->validated());
 
-        $html = $this->compiler->compile($blade);
+        $html = Blade::render($blade, ['attributes' => $attributes]);
 
         return response($html)->withHeaders([
             'Content-Type' => 'text/html; charset=utf-8',
             'Cache-Control' => 'public, only-if-cached, max-age=31536000',
+            'Content-Security-Policy' => "default-src 'self'; script-src 'none';",
         ]);
     }
-
-    protected function attributes(array $attributes): ComponentAttributeBag
-    {
-        $attributes = new ComponentAttributeBag($attributes);
-
-        return $attributes->whereDoesntStartWith(':');
-    }
 }

tests/Unit/Http/Controllers/ButtonControllerTest.php

@@ -3,9 +3,7 @@
 namespace Tests\Unit\Http\Controllers;
 
 use Illuminate\Support\Str;
-use Illuminate\View\ComponentAttributeBag;
 use Symfony\Component\HttpFoundation\Response;
-use WireUi\Http\Controllers\ButtonController;
 
 test('it should render the button with attributes', function () {
     $params = ['type' => 'primary', 'label' => 'Click me'];
@@ -20,25 +18,11 @@
 
     $this->getJson(route('wireui.render.button', $params))
         ->assertSee('<button', escape: false)
+        ->assertDontSee('strtoupper')
+        ->assertDontSee('Click me')
         ->assertDontSee('CLICK ME');
 });
 
-test('it should filter the attributes to keep safe', function () {
-    $attributes = [
-        'color' => 'primary',
-        ':label' => "strtoupper('Click me')",
-        ':type' => "config('app.name')",
-    ];
-
-    /** @var ButtonController $controller */
-    $controller = resolve(ButtonController::class);
-
-    /** @var ComponentAttributeBag $filteredAttributes */
-    $filteredAttributes = $this->invokeMethod($controller, 'attributes', [$attributes]);
-
-    $this->assertSame(['color' => 'primary'], $filteredAttributes->getAttributes());
-});
-
 test('it should validate the request', function (string $attribute, string $rule) {
     $this->getJson(route('wireui.render.button', [$attribute => ['invalid-value']]))
         ->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY)