easier way of using HTML entities #42
Comments
|
Could you describe some specific examples you're running into? There might be some things possible to make it easier.
I don't agree. You should rarely ever need to use Plus I'm not going to sacrifice security for developer convenience. Inserting unsafe HTML into your app is an awkward task on purpose. |
|
I'm not actually using bel directly. I'm using choo. And I'm honestly not sure if the escaping happens at this level of the stack or at hyperx'. I have 5 lines of content that can be blank. In those cases, to keep the layout steady, every line needs a nonbreaking space. while (numberOfTimes-- > 0) {
const blankLine = html`<div></div>`
blankLine.innerHTML = ' '
times.push(blankLine)
}
return html`
<div class="example-lines">
${times}
</div>
`Another case I ran into is for formatting two dates: 2016-10-01 13:00 > 2016-10-01 10:00Is there a more elegant way to render these?
I understand your position. But unless you're working on something like a wiki, isn't rendering user input the exception? Using the |
Think about any application that retrieves data from a database (for example via a JSON API). A user entered that data. Enter Your Name: [ One could argue what if scenarios all day but in the end, if you're not escaping your HTML your app is vulnerable to a XSS attack. That being said, I'm all for making embedding entities easier within the template strings but only if it can be done in a safe way. Here is the line of code responsible. |
|
Hm, there doesn't seem to be a I think this workaround is nicer than using const NBSP = '\u00A0'
bel`<div>12${NBSP}pm</div>` |
|
Something like this may work: function createBelCreateElement (tag, props, children, safe) {
return function belCreateElement (tag, props, children) {
// ...
function appendChild (childs) {
// ...
if (safe) {
node = document.createTextNode(node)
}
if (node && node.nodeType) {
if (safe) {
el.appendChild(node)
} else {
el.innerHTML = el.innerHTML + node
}
}
}
appendChild(children)
return el
}
}
module.exports = hyperx(createBelCreateElement(true))
module.exports.unsafe = hyperx(createBelCreateElement(false))
module.exports.createElement = belCreateElement |
|
Sorry, I don't want to provide an unsafe element creator in this library. Happy to consider a safe way to support entities embedded into the template string though. |
|
OK, something like this would be a more generic approach that detects HTML entities in the children and renders them with innerHTML while the rest keeps being rendered with createTextNode: function appendChild (childs) {
if (!Array.isArray(childs)) return
for (var i = 0; i < childs.length; i++) {
var node = childs[i]
// ...
if (typeof node === 'string') {
// parts is array of entities and regular text
const parts = node.replace(/(&[a-z]+;)/gi, '\u0000$1\u0000').split('\u0000').filter(p => p)
if (parts.length > 1) {
appendChild(parts)
continue
}
if (/^&[a-z]+;$/gi.test(node)) {
el.innerHTML = el.innerHTML + node
continue
}
if (el.lastChild && el.lastChild.nodeName === '#text') {
el.lastChild.nodeValue += node
continue
}
node = document.createTextNode(node)
}
if (node && node.nodeType) {
el.appendChild(node)
}
}
}The regex would have to be a bit more complex to also deal with numerical entities like Anyways, I'm not sure downstream libraries that use bel would appreciate the impact on performance this has. There's a reason why Handlebars, Mustache, ERB, Underscore, Haml, etc. all have an explicit way for rendering without escaping. Update: added |
|
Just wanted to chime in on this now that the module has evolved some. I hear the safety concerns, but with the added SSR capabilities of Pelo, this would be really handy. For example, I’m formatting text, which I’ve properly sanitized, as markdown formatter. Currently to do this requires: var input = 'Some **sanitized** text!'
var text = markdown(input)
var element = bel`<div></div>`
element.setInnerHTML = textUp till the addition of Pelo this was cool, but when using You can see this in action when visiting my site: Source here: Could be a great add?! 🎉 |
|
Yeah, good question. I'm not entirely sure; perhaps running an HTML escape
function and interpolating a template string?
e.g
```js
html`<div>${escape('<div>hi</div>')}</div>
```
…On Wed, Jul 12, 2017 at 9:00 AM Jon-Kyle ***@***.***> wrote:
Just wanted to chime in on this now that the module has evolved some. I
hear the safety concerns, but with the added SSR capabilities with Pelo,
this seems would be really handy. An example use case:
I’m formatting text, which I’ve properly sanitized, as markdown formatter.
Currently to do this requires:
var input = 'Some **sanitized** text!'var text = markdown(input)var element = bel`<div></div>`element.setInnerHTML = text
Up till the addition of Pelo this was an acceptable solution. However,
when using this with .toString(), there is no DOM available, and the
element ends up being blank. I’ve run into this a few times recently—would
be a great add!
(cc: @yoshuawuyts <https://github.com/yoshuawuyts>)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#42 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ACWlehbSyUP2LG4dg2_Vf8Tb40aGsFY4ks5sNG8OgaJpZM4JwJFO>
.
|
|
added in #86 |
Using innerHTML to insert the odd HTML entity such as
as described in the wiki is OK. But when HTML entities are used all over the place, this quickly becomes unwieldy. I wish there was some way to keep using the entities inline.Is there another reason to escape all text other than prevention of XSS from user entered text? If there isn't, I think the default of escaping everything is wrong and should be changed (if possible).
When writing plain old HTML, people are used their
<tags>being interpreted accordingly, just like their&entities;, and the rest used as is (i.e. unescaped). I wish bel could mirror that experience.The text was updated successfully, but these errors were encountered: