What about escaping specific BEMJSON field, e.g. 'contentSafe'?

[f0rmat1k]

Something like this: { block: 'button', contentSafe: '<script>alert('you shall not pass!')</script> }

[miripiruni]

@f0rmat1k escaping or contentSafe? It’s opposite things. Escaping any fields means you don’t trust it’s value. But naming the field contentSafe we assume that its content is safe and it’s value should be output as is.

In BH you can use html field. See test: https://github.com/bem/bh/blob/master/test/test.html.js#L14

[qfox]

Feels like it's the same as safe/unsafe to mark fields as "need escaping" and "does not need escaping" flags.

I like the way we do it in bem-xjst: { content: { html: '<script>alert(1);</script>' } } (same as safe: '<script>alert(1);</script>', but I'm agree that opposite will be useful too to not call escaping method directly.

[f0rmat1k]

@miripiruni I just wanted to say, that now i have to escape handy any content

{
   content: escape('content')
}

Global option isn't useful. Maybe BH should really force escape content field? And do like react:

{
   dangerouslyContent: '<span>content</span>'
}

Anyway for me would be enough some field where i can insert content for escaping.

[Yeti-or]

@f0rmat1k I don't understand why option escapeContent:true doen't do what you want?

[f0rmat1k]

@Yeti-or because it affects whole project

[qfox]

Like that?

bh.match('*', function(ctx, json){
  if(json.dangerousContent) {
    json.content = bh.escape(json.dangerousContent)
  }
})

[qfox]

Bemjson = {
  content: [
    'this wont be escaped',
    { unsafe: true, content: [
      'But this will be escaped'
    ] }
  ]
}

And...

bh.match('*', function...
  if(json.unsafe) {
    ctx.unsafe = true
    res = ctx.applyBase()
    ctx.unsafe = false
    return res
  }

bh.match('*', function...
  if(ctx.unsafe) escape content manually

[Yeti-or]

react escaping affects whole project too

[f0rmat1k]

@Yeti-or but react has dangerouslySetInnerHtml

[qfox]

@f0rmat1k BH has content: { tag: false, html: ... } that works like dangerouslySetInnerHtml: ...

[f0rmat1k]

@zxqfox So i will have to create .bh for every block (usually priv is enought for me). It isn't as simple as specific bemjson field. But thank you for advice.

[mishanga]

Можно реализовать компрометирующую логику через tParam: выставлять его для всех детей где-то на уровне блока, у которого есть шаблон. То есть компрометировать ветку в BEMJSON, а не узел.

[qfox]

Оу, когда я писал про стх, я имел ввиду tParam для поддерева. Я поправлю сниппет

[qfox]

Без tParam: https://goo.gl/JvaD4D Кажется, что так даже лучше. С tParam: ~https://goo.gl/sAFRbg~ https://goo.gl/RRU1nW