showToast() first argument: text or HTML?

jackbsteinberg / std-toast

121 stars 4 forks source link

showToast() first argument: text or HTML? #12

Closed jackbsteinberg closed 5 years ago

jackbsteinberg commented 5 years ago

The developer can use the <std-toast> HTML element to pass in custom HTML content for the toast, but there is currently no way to do this for the showToast() function.

This could be solved by passing in an HTML template string as the message parameter of showToast(message, options), for example:

const toast = showToast(`<b>Hello</b> World!`);

Is there interest in supporting this behavior, or is the current option sufficient?

domenic commented 5 years ago

The issue here is security, as this would be an additional markup injection point. Libraries or tools that guard those (e.g. linters that prohibit assigning to innerHTML) would need to also cover the showToast() function.

fergald commented 5 years ago

Can we just say that the API is

showToast(...).innerHTML = "..."

and explain that we simply don't want to add another injection point. That API is not pretty but it's not horrible.

jackbsteinberg commented 5 years ago

That's a good option, though I am hesitant to solidify that before I know how exactly we're using the shadow DOM and <slot>s, and how exactly those work with innerHTML