Open jasonhansel opened 8 years ago
Thanks @jasonhansel. I'll write some tests and documentation for this. Any sort of escaping we've left up to the user depending on what they're trying to do.
It looks like you here you want to display the html as a string on both sides, so I would have used another module to just escape that string to get the correct output. I can see how this would be confusing though. Even just a warning in development if we detect that a string looks like HTML but isn't escaped would be useful.
Thanks for looking into this! To clarify, I actually don't want to display the HTML as a string on both sides. Rather, I want using renderString
(on the server) and using render
(on the client) to produce visually similar results (though the output from renderString
will of course not be interactive).
Adding a warning in development would be an excellent idea, though it wouldn't be much more work to just incorporate the escaping functionality into deku itself; I'd be glad to submit a PR for that, if it would be helpful. The code necessary for doing the escaping is less than 80 lines.
I'm also still somewhat concerned about the security implications of not escaping potentially untrusted data; OWASP, for instance, recommends always escaping user data inserted into HTML elements.
FWIW, this would be valuable for us as well!
Since
renderString
does not escape HTML tags, the HTML generated byrenderString
can look very different in the browser from the DOM generated byrender
.For instance, given the following code:
The following lines of code will produce very different results:
This inconsistency can create problems for isomorphic applications, which expect to be rendered in the same way on both the server and the client.
Furthermore, this opens up the possibility for XSS issues, if the data is untrusted. This problem was already noted in issue #55, but that issue discussed escaping input, while this is really an issue of escaping output (namely, the output produced by
renderString
and displayed to the client).