search

aurelia / templating-binding

An implementation of the templating engine's Binding Language abstraction which uses a pluggable command syntax.
MIT License
32 stars 26 forks source link

ValueConverters returning HTML #87

Closed RomkeVdMeulen closed 8 years ago

RomkeVdMeulen commented 8 years ago

If I have a ValueConverter that produces HTML, like:

export class NewlinesValueConverter {
    public toView(value) {
        if (!value) {
            return null;
        }
        return value
            .replace(/\r\n/g, "\n")
            .replace(/[\r\n]/g, "<br/>");
    }
}

and I use it like so:

${note | newlines}

then the <br/> elements are escaped. Of course I can do

<span innerhtml.bind="note | newlines"></span>

but it'd be nice if I can configure this specific ValueConverter to not have its output escaped, say with a decorator. What do you think?

EisenbergEffect commented 8 years ago

Unfortunately, we can't change this. The interpolation binding mechanism sets textContent. The only way to bind html is to use innerhtml.bind. We don't want to make this any easier because of security concerns.