Render input "value" as HTML attribute

riot / ssr

Riot.js node Server Side Rendering

MIT License

32 stars 8 forks source link

Render input "value" as HTML attribute #3

Closed nesterow closed 5 years ago

nesterow commented 5 years ago

When the input value is set through a property using javascript (input.value = "test") it does not reflect on the HTML attribute "value". So the markup rendered by javascript would return no values for <input> elements.

GianlucaGuarini commented 5 years ago

thank you for this PR, the choice to avoid printing the value attributes is due to security reasons. I need to be sure that rendering the value attribute for password inputs via SSR doesn't represent a security leak. Please hold on a bit I will need to check how other SSR frameworks deal with such dangerous stuff

nesterow commented 5 years ago

Makes sense. I think the value attribute should be presented on input elements at least as an empty string. If there's no value attribute the templates would loose bindings after hydrating. I guess because morphdom calls El.removeAttribute('value') if there weren't values on both inputs. https://github.com/patrick-steele-idem/morphdom/blob/da08ab419ae21d305bc5cfb38f2f3d6c2152d1c7/src/specialElHandlers.js#L51

GianlucaGuarini commented 5 years ago

thank you for this patch I will publish a new release asap