Closed rbelouin closed 6 years ago
Just a note, even though this was a bug on snabbdom-to-html
end, this IS a breaking change. I know devs that were using it as a feature, passing raw html as text
Thank you @rbelouin , it's perfect. I'm merging and publishing tomorrow.
I'll bump major then, I agree @zkochan
Published 5.0.0
, thanks again @rbelouin for such an impeccable PR!
No worries!
Is there a way to bypass escape? I am inserting a stringified JSON-Object in a script tag and now all " are \"
EDIT: I solved in in a fork by adding UNESCAPED_ELEMENTS to elements.js and an escapeText bool to renderString. I can now define tags whos children are not being escaped: https://github.com/snabbdom/snabbdom-to-html/commit/163abbf7f312d67641889f93950398f0dbd1cd54
An issue I've noticed recently:
As you can see, the HTML characters of the text content of the
div
tag aren't escaped properly. This isn't consistent withsnabbdom
's behavior and this is a security flaw: if anyone is using this library in production to render pages, they might be vulnerable to XSS attacks.Issue #36 seems to be related.