Closed zkochan closed 6 years ago
Thanks for pointing this out.
Indeed snabbdom uses document.createTextNode
, which I guess does the encoding. See https://github.com/snabbdom/snabbdom/blob/master/src/htmldomapi.ts#L27-L29
What do you think would be the simplest way to do the encoding and apply it to vnode.text
? https://github.com/snabbdom/snabbdom-to-html/blob/master/init.js#L33
I am not aware of built-in Node.js modules that would encode HTML. I searched on npm and seems like the he is the most popular package for encoding/decoding HTML
Actually, it is enough to encode just the <>"&
. This is how preact does it:
This module is actually using lodash.escape
already haha, which does that exactly:
https://lodash.com/docs/#escape https://github.com/snabbdom/snabbdom-to-html/blob/master/package.json#L29
I'll try and fix this over the weekend. PR's are welcome too :-)
Another hand-made take https://github.com/stasm/innerself/blob/master/sanitize.js
@zkochan, @acstll: Hi! This does not seem to be fixed, so I've tried to address the issue in #38
When using snabbdom directly, it encodes text passed to the node:
To insert raw HTML to a node with snabbdom, the innerHTML prop should be set, see explanation in this issue.
However, when rendering with
snabbdom-to-html
, text is not encoded, so the previous example withsnabbdom-to-html
will be:This is inconsistent and dangerous.