Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow non-templates as interpolations in Polymer.html #5023

Merged
merged 9 commits into from
Jan 31, 2018
Merged

Disallow non-templates as interpolations in Polymer.html #5023

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
5e890fa
Disallow non-templates as interpolations in Polymer.html
justinfagnani Jan 7, 2018
08a020f
Merge branch 'master' into html-tag
Jan 29, 2018
58f9780
Adds `Polymer.htmlLiteral`
Jan 29, 2018
4c5b739
lint fix and update types
Jan 30, 2018
8965cb3
Review updates.
Jan 30, 2018
a9ca5bf
update types.
Jan 30, 2018
46c07f5
[ci-skip] Add comment about accepting htmlLiteral values.
kevinpschaaf Jan 30, 2018
99280df
Update types.
kevinpschaaf Jan 30, 2018
bbe4c53
Add a `toString` for output from `Polymer.htmlLiteral`
dfreedm Jan 30, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 49 additions & 3 deletions lib/utils/html-tag.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,31 @@
(function() {
'use strict';

class HTMLLiteral {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docs

constructor(string) {
this.innerHTML = string;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't name this innerHTML, this isn't an element. I'd go with value

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was an attempt to write less code, since both types can return their string value via innerHTML; fair that it's a bit short-cutty.

}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding a toString() implementation with the literal value

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

}

/**
* @param {*} value Object to stringify into HTML
* @return {string} HTML stringified form of `obj`
*/
function literalValue(value) {
if (value instanceof HTMLLiteral) {
return /** @type {!HTMLLiteral} */(value).innerHTML;
} else {
throw new Error(`non-literal value passed to Polymer.htmlLiteral: ${value}`);
}
}

/**
* @param {*} value Object to stringify into HTML
* @return {string} HTML stringified form of `obj`
*/
function htmlValue(value) {
if (value instanceof HTMLTemplateElement) {
return /** @type {!HTMLTemplateElement} */(value).innerHTML;
if (value instanceof HTMLTemplateElement || value instanceof HTMLLiteral) {
return /** @type {!HTMLTemplateElement | !HTMLLiteral} */(value).innerHTML;
} else {
throw new Error(`non-template value passed to Polymer.html: ${value}`);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this message should probably be updated to allow for htmlLiteral too

}
Expand All @@ -32,7 +50,7 @@
*
* Templates can be composed by interpolating `HTMLTemplateElement`s in
* expressions in the JavaScript template literal. The nested template's
* `innerHTML` is inluced in the containing template.
* `innerHTML` is included in the containing template.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should also include using htmlLiteral

*
* All other values are disallowed in expressions to help prevent XSS
* attacks.
Expand All @@ -59,5 +77,33 @@
acc + htmlValue(v) + strings[idx + 1], strings[0]);
return template;
};

/**
* An html literal tag that can be used with `Polymer.html` to compose.
* a literal string.
*
* Example:
*
* static get template() {
* return Polymer.html`
* <style>
* :host { display: block; }
* ${styleTemplate}
* </style>
* <div class="shadowed">${staticValue}</div>
* ${super.template}
* `;
* }
* static get styleTemplate() { return Polymer.htmlLiteral`.shadowed { background: gray; }`; }
*
* @memberof Polymer
* @param {!ITemplateArray} strings Constant parts of tagged template literal
* @param {...*} values Variable parts of tagged template literal
* @return {!HTMLLiteral} Constructed literal string
*/
Polymer.htmlLiteral = function(strings, ...values) {
return new HTMLLiteral(values.reduce((acc, v, idx) =>
acc + literalValue(v) + strings[idx + 1], strings[0]));
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style nit: 4 space indent for wrapped expressions

}
})();
</script>
Loading