WIP: Closes #21: Safer fields (escaping fields in xhtm)

dy / xhtm

XHTM − eXtended Hyperscript Tagged Markup

MIT License

25 stars 2 forks source link

WIP: Closes #21: Safer fields (escaping fields in xhtm) #22

Closed aral closed 1 year ago

aral commented 1 year ago

Escapes fields (interpolated strings)

See #21 for a more detailed explanation of the reasoning behind it.

aral commented 1 year ago

I’m testing this in Kitten at the moment and I’m not entirely sure I’m going to go with it. Will update this thread with the implications I find for authoring, etc. Please treat this PR as a work-in-progress for the time being.

aral commented 1 year ago

Right, so the problem with this is that I can’t see any way of not escaping text content (e.g., for those times when we actually want to render sanitised HTML).

With vhtml, you can have dangerouslySetInnerHTML as an attribute as it’s aware of attributes. But, unless I’m missing something, we’re not at the stage where we set the field content. Sending some sort of a flag within the field content itself, of course, wouldn’t work as that would be exploit itself.

Hmm…