search

ractivejs / ractive

Next-generation DOM manipulation
http://ractive.js.org
MIT License
5.94k stars 396 forks source link

Inconsistent HTML entity decoding in attributes #3434

Closed ppena-LiveData closed 3 weeks ago

ppena-LiveData commented 4 months ago

Description:

If a template has an HTML element attribute with just a static string, then HTML entities are decoded, but if there's a mustache in the attribute, then the HTML entities are not decoded. For example, attr="&" will have & decoded to &, but attr="&{{''}}" will not have it decoded, see that example in the Ractive Playground.

Versions affected:

Maybe all? The problem is in src/parse/converters/element/readAttribute.js, since it only calls decodeCharacterReferences() when value.length === 1 && isString(value[0]).

Platforms affected:

All.

Suggested fix:

Instead of this:

  if (value.length === 1 && isString(value[0])) {
    return decodeCharacterReferences(value[0]);
  }

The code could decode all static strings, like this (thanks @GabeSchaffer for this suggested fix):

  // decode HTML entities for each static string within an attribute
  for (var i in value) {
    if (isString(value[i])) {
      value[i] = decodeCharacterReferences(value[i]);
    }
  }

  if (value.length === 1 && isString(value[0])) {
    return value[0];
  }
evs-chris commented 4 months ago

Thanks for the concise bug report with a very good breakdown of the problem and resolution! This should be resolved in 1.4.4.