Closed mbrodesser-Igalia closed 1 month ago
Alternatively, perhaps https://w3c.github.io/trusted-types/dist/spec/#html-validate-the-string-in-context could be adapted to take either a TrustedType or a string. Then https://github.com/whatwg/webidl/pull/1392 would require adaptation too.
CC @lukewarlow since it might affect above PR.
Tried to learn from an existing spec: https://dom.spec.whatwg.org/#dom-node-textcontent takes a value and calls https://dom.spec.whatwg.org/#string-replace-all which expects a string. However, the stringification of value to string is not specified. Did I miss anything?
CC @domenic
Yeah you're right the "html" algorithm probably needs updating. I'm not sure what the correct way to do it is though.
(For textContent
stringification follows from IDL and it only accepting a string.)
That makes sense, and because this is before full type conversion it's just a raw value so we should be handling it.
(For
textContent
stringification follows from IDL and it only accepting a string.)
Why does it follow from IDL? See e.g. https://jsfiddle.net/jmfdasgp/.
Because the IDL says it's a nullable DOMString so by the time the setter steps are running the value is already either null or stringified.
Because the IDL says it's a nullable DOMString so by the time the setter steps are running the value is already either null or stringified.
Agreed.
Where is the conversion from other objects, e.g. from a div
element (e.g. https://jsfiddle.net/jmfdasgp/), to a DOMString
specified? The IDL for the div
element, https://html.spec.whatwg.org/#the-div-element, contains no stringifier
and neither do its ancestors.
contains no stringifier and neither do its ancestors.
The Object type itself has its own stringifier which is what is being used.
I'm thinking to solve this we could change Get trusted type compliant string to take any type, and then after step 1 insert a new step that stringifies the value (and throws if it can't stringify, I'm not sure any JS type can't be stringified though?)
Can this be closed? We're going to be using unions (like DOMString or Trusted*
), right? So WebIDL argument conversion will pass either a WebIDL DOMString
value or a platform object that implements the right Trusted*
type.
Yep you're right. I'll close this out. (The algorithm will be removed by a draft PR I have)
https://w3c.github.io/trusted-types/dist/spec/#html-validate-the-string-in-context
https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm
Should https://w3c.github.io/trusted-types/dist/spec/#html-validate-the-string-in-context try to stringify the value before passing it to https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm?
In any case, when https://w3c.github.io/trusted-types/dist/spec/#html-validate-the-string-in-context 's
value
has no stringifier, https://w3c.github.io/trusted-types/dist/spec/#html-validate-the-string-in-context should presumably throw an exception.