Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Safe values #772

Merged
merged 1 commit into from
Sep 6, 2024
Merged

Safe values #772

merged 1 commit into from
Sep 6, 2024

Conversation

joeldrapper
Copy link
Collaborator

@joeldrapper joeldrapper commented Sep 6, 2024
edited
Loading

  • Remove Phlex::SGML#unsafe_raw
  • Add Phlex::SGML#safe which creates a Phlex::SGML::SafeValue
  • Add Phlex::SGML::SafeObject a generic interface for safe objects, which Phlex::SGML::SafeValue implements
  • Add Phlex::SGML#raw, which takes a SafeObject
  • Update __attributes__ to allow the use of unsafe attribute names when the values are SafeObjects.

Example

def view_template
  raw 🦺 "<script>"
  a href: 🦺 "javascript:alert(1)"
  a onclick: 🦺 "alert(1)"
end

Thanks @bradgessler for writing the original implementation of this PR. #719

Closes #718

willcosgrove
willcosgrove approved these changes Sep 6, 2024
View reviewed changes
Copy link
Contributor

@willcosgrove willcosgrove left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

joeldrapper
joeldrapper commented Sep 6, 2024
View reviewed changes
lib/phlex/sgml.rb
end

alias_method :🦺, :safe
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🕶️

bradgessler
bradgessler reviewed Sep 6, 2024
View reviewed changes
test/phlex/view/raw.rb
@@ -18,7 +30,7 @@ def view_template
with "nil content" do
view do
def view_template
unsafe_raw nil
raw nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This method name is so much better than unsafe_raw!

@joeldrapper joeldrapper merged commit d27e244 into main Sep 6, 2024
6 of 8 checks passed
@joeldrapper joeldrapper deleted the safe-values branch September 6, 2024 21:17
@joeldrapper joeldrapper mentioned this pull request Sep 6, 2024
Merged
@stephannv stephannv mentioned this pull request Sep 14, 2024
Merged
@davidalejandroaguilar
Copy link

Hey, good timing! Any idea when this will be released? Found myself in need for it for implementing the Modal component in PhlexyUI:

<button class="btn" onclick="my_modal_1.showModal()">open modal</button>
<dialog id="my_modal_1" class="modal">
...

@willcosgrove
Copy link
Contributor

It's in the betas that are out for 2.0. I'm not sure there's a target date for releasing 2.0, other than just "when it's ready" 😅

Probably before ruby 3.4 comes out

@davidalejandroaguilar
Copy link

Ahh thought this was going to be added pre-2.0. I'll have to work with what we have now then, thanks!

@davidalejandroaguilar
Copy link

davidalejandroaguilar commented Sep 27, 2024
edited
Loading

Have to ask, would it be possible to add this pre-2.0? EDIT: Yeah this looks like a breaking change, so don't think it can!

@bradgessler
Copy link
Contributor

Install 2.x beta. There's nothing super risky in there; just a few changes that break a few things, but should be relatively straightforward to fix.

@davidalejandroaguilar
Copy link

davidalejandroaguilar commented Sep 28, 2024
edited
Loading

@bradgessler Yeah I also think there's not too many breaking changes.

The thing is that I'm needing this for https://github.com/PhlexyUI/phlexy_ui, and even though it's new and probably no-one uses it yet, if someone does, they may not want to be in Phlex 2.x beta 😅

I can definitely wait, no worries and thanks for this PR!

@joeldrapper
Copy link
Collaborator Author

You can get around it in v1 by using unsafe_raw.

@davidalejandroaguilar
Copy link

Thanks for chiming in @joeldrapper!

I did see that helper being removed in this PR, but had trouble getting it to work with yielded content. I'm opening a discussion here Discussion #793: unsafe_raw with yield renders the yielded content outside to avoid hijacking this PR further.

Thanks again everyone 😃

@bradgessler
Copy link
Contributor

Unrelated: @davidalejandroaguilar when you take on forms in PhlexyUI, take a look at https://github.com/rubymonolith/superform

I'm in the same boat as you--holding out for 2.x to drop before switching everything over.

@davidalejandroaguilar
Copy link

@bradgessler I've seen it of course (I have it starred 😉), it's very interesting! Great to see so many different takes built on Phlex.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bradgessler bradgessler bradgessler left review comments

@willcosgrove willcosgrove willcosgrove approved these changes

Assignees
No one assigned
Labels
breaking
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Escape hatch to bypass Phlex HTML safety
4 participants
@joeldrapper @davidalejandroaguilar @willcosgrove @bradgessler