html-tag.js is using the .raw version of strings; y tho? #5060
Comments
usergenic
changed the title
|
Also, yeah yeah yeah we could always not escape dollar signs or backticks at all in the modulizer, but... |
dfreedm
added a commit
that referenced
this issue
Jan 25, 2018
There's a lot of pitfalls Fixes #5060
ghost
mentioned this issue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Consider the template string literal assignment from a recently modulized element iron-a11y-announcer:
Note the bound attribute
aria-live$=is represented here with an escaped\$instead of just the$. This is because of a naive, but valid, escaping that takes place when the original html file was ported into the javascript templated string literal in polymer-modulizer.Polymer
html-tag.js, however, uses the.rawvalue of this literal, resulting in its injection of the escaped character into the DOM, giving everyone binding to attributes the following experience with the current modulized code: https://github.com/Polymer/polymer-modulizer/issues/292Here's the html-tag code:
polymer/lib/utils/html-tag.html
Line 57 in ee1d71f
Can we be clear there's a reason for the
html()function to use.raw? Because I don't see a case where you'd want javascript-escape sequences to be literally interpreted when injecting HTML. Is this for convenience of embedding JS source in the template? I think it just makes things even harder to escape inside the embedded JS source then too as a consequence...The text was updated successfully, but these errors were encountered: