Open dxlbnl opened 4 years ago
Basically the same as #1779, and I still have the same concerns about making Svelte responsible for decoding entities at runtime, especially in SSR.
Another perspective is that this opens up yet another opportunity for XSS/CSRF exploitation. I think the less places we support injection, the better.
@Conduitry I'm not seeing how it should be able to decode html entities, as it just shouldn't encode them to begin with?
@dkondrad It does, but thats why it would be in an explicit {@html } tag.
Oh that's true for SSR I suppose. If {@html foo}
meant to literally insert that string at this point in the server rendered HTML, that would work. It's not really any more of a risk then {@html}
elsewhere already is. You're taking your life in your hands either way, really.
For DOM mode, we'd still need some sort of hidden text area mechanism, because the APIs we have available to us expect literal strings.
Here's an example from Bootstrap 5.1 Documentation for Tooltips that contain HTML...
<button type="button" class="btn btn-secondary" data-bs-toggle="tooltip" data-bs-html="true" title="<em>Tooltip</em> <u>with</u> <b>HTML</b>">
Tooltip with HTML
</button>
In my case, I want this...
const title = `<em>Tooltip</em> <u>with</u> <b>HTML</b>`
and
<button type="button" class="btn btn-secondary" data-bs-toggle="tooltip" data-bs-html="true" title={@html title}>
Tooltip with HTML
</button>
for a website that is not public.
Any tooltip library is going to have this need...as I just found this svelte limitation trying to use html with https://kazzkiq.github.io/balloon.css/
We also have Html entities in the title. No need to have html tags, but the symbols are a must have. Even google SERPs do respect them.
Maybe adding another Special tag just for Html entities, like {@entities H₂}
When using @rollup/plugin-image with svg images, it puts plain svg in an imported variable. Then it's impossible to set the data:image url as source since it's being escaped.
An possible solution is to allow @html tags inside attributes.
Example: