Currently all interpolated text nodes and attributes are escaped. This is done on the server through a function call and on the client by assigning to character data which will not create DOM nodes.
But there are cases for inject raw html. There are ways around it but they get complex and likely to complex for Prism reactivity system. If they are sanitized then it should be fairly safe to do raw.
There could be a new attribute #html which depicts the elements innerHTML is the value of the attribute
This should be fairly easy to do. Add a new property to NodeData depicting element uses raw HTML. For client side rendering add the property innerHTML: **#html value** to the attribute object. For server side rendering drop the wrapping escape call. Then there is the reactivity which would point to .innerHTML rather than .childNodes
Currently all interpolated text nodes and attributes are escaped. This is done on the server through a function call and on the client by assigning to character data which will not create DOM nodes.
But there are cases for inject raw html. There are ways around it but they get complex and likely to complex for Prism reactivity system. If they are sanitized then it should be fairly safe to do raw.
There could be a new attribute
#html
which depicts the elementsinnerHTML
is the value of the attributeAny element with
#html
must have no children.This should be fairly easy to do. Add a new property to
NodeData
depicting element uses raw HTML. For client side rendering add the propertyinnerHTML: **#html value**
to the attribute object. For server side rendering drop the wrappingescape
call. Then there is the reactivity which would point to.innerHTML
rather than.childNodes