Change div tags to script tags for props #411
Conversation
… nodes or the redux store names. 3 tests failing yet.
|
@martyphee Any update on this one? |
|
Sorry, no. I'll be working on it again this week. I've been in London On Sun, Jun 26, 2016 at 1:16 AM, Justin Gordon [email protected]
|
|
@martyphee let me know if you wanna chat about this at all too. |
|
Yes, do you have any time tomorrow? On Thu, Jul 7, 2016 at 7:03 PM, Blaine Hatab [email protected]
|
|
Please refer to:
To merge, we need:
Take a look at the home page for https://www.producthunt.com/ Seems that ProductHunt uses this strategy of a script.
They probably have done tons of optimization. Interesting that the embedded store values seem to be a string, rather than an object. window.initialState = "[\"^ \",\"annotations\",[\"~#iM\",[69195,[\"~#iR\",[\"^ \",\"n\",\"AnnotationRecord\",\"v\",[\"^ \",\"type\",\"top\",\"postId\",null,\"categoryId\",1,\"userCount\",0,\"userIds\",[]]]],69203,[\"^2\",[\"^ \",\"n\",\"AnnotationRecord\",\"v\",[\"^ \",\"^3\",\"topSo maybe the strategy is to convert to an HTML JSON string, and then JSON parse the string? |
|
@martyphee Any update? |
|
@martyphee How's this one going? Any preliminary performance numbers? |
|
No, sorry. I haven't had time to work on it. I'll try to spend time this
week before I go on vacation. Just got back from UK.
|
|
@martyphee Keep us posted. Hopefully you'll have some perf numbers to share! |
|
@martyphee How's this one going? |
|
Sorry for the delay. I'm on vacation right now. No plans to head over seas On Monday, August 8, 2016, Justin Gordon [email protected] wrote:
|
|
Hi @martyphee I'm about to push out 6.1 this weekend. Would you like to try to get this in? |
|
I have two failing tests yet. Need to figure these out. |
|
@martyphee Please address these in the PR description and the final commit. #411 (comment) |
|
@martyphee Here's a security reference on the XSS topic: https://rorsecurity.info/cross-site-scripting-xss-rails |
|
@martyphee Any new info on this one? |
|
@martyphee How's this one going? |
|
@martyphee Any more details on this one? |
|
@martyphee Are you still interested in this fix? |
| data: redux_store_data) do | ||
| # redux_store_data | ||
| "var #{redux_store_data[:store_name].tr('-', '_')} = #{Yajl.dump(redux_store_data[:props])};".html_safe | ||
| end |
There was a problem hiding this comment.
Generating a JavaScript string from Ruby is a pretty bad idea in my experience. For one thing the generated identifier is in the global namespace, but it’s also potentially very fragile.
My personal preference for getting values from Ruby into JS is to provide them as data- attributes on some element, then pull them out with JS… but that seems to be pretty much what you were doing already. Is there some reason why you wanted to use a <script> tag rather than a <div>?
There was a problem hiding this comment.
Global namespace shouldn't be a problem. Attempt to make it as unique as possible though. Prepend it with a bunch of underscores or something similar. I'd advise against using a data attribute though: You might accidentally include an ambiguous ampersand which is not allowed.
There was a problem hiding this comment.
@kapowaz a possible reason behind this is that initial props can be quite big, e.g. 100Kb. It is really awkward and unreadable to cram it to HTML attribute, given that every quote is replaced with ".
|
@justin808 Yes, we still want to do this to try speeding up the page rendering. I'll work on it this week. |
|
@martyphee How's this one going? |
|
I started to do some work on it last night. I'll try to get thru it On Tue, Nov 1, 2016 at 5:26 AM, Justin Gordon [email protected]
|
| style: nil, | ||
| data: options.data) do | ||
| props = Yajl.dump(options.props.is_a?(String) ? JSON.parse(options.props) : options.props) | ||
| "var #{options.dom_id.tr('-', '_')} = #{props};".html_safe |
There was a problem hiding this comment.
I would suggest not playing games with global Javascript variables but instead use
<script type="application/json" id="...">{ "json": "encoded-data" }</script>
Also, it would really help development if you use human-readable JSON in non-development environment, a-la:
def json_safe_and_pretty(something)
if Rails.env.development?
json_escape(JSON.pretty_generate(something.as_json))
else
json_escape(something.to_json)
end
end
There was a problem hiding this comment.
It also looks like JSON <script> tag also solves the Turbolinks issue, because there is no need to execute any <script> tag, you just have to replace el.getAttribute() with (IIRC) .textContent. Also, no eval()!
|
I haven't had much time to look at this yet. |
|
Hi @martyphee Any new developments on this one? |
|
@martyphee Is this one worth doing? @squadette any interest in working on this one? |
|
See #660. |
|
Deferring to #660. |
WIP - Changed div's to script tags.
This change is