Comments (2)
I just did it again, opening an issue without noticing #43 and #45.
However, reviewing the discussion, I still think a PR (I'll see if I can help with that) would make sense, to be able to use include_moment()
just as the library is thought to be used.
I see the past discussion mentions the fact that this specific usage of eval seems unharmful (which I agree), but the problem is that if we want to use include_moment()
and CSP, it means using unsafe-eval
for all the scripts on the webpage, and thus potentially allowing other libraries/malicious scripts usage of eval()
...
from flask-moment.
Looking a bit more at the code, it seems to me that this is solvable pretty easily.
Right now the code works by generating a <span>
tag with a data-timestamp
and a data-format
attribute.
The data-timestamp
is fine (and it's content can later be retrieved and passed to the moment()
function without needing eval()
), but the issue comes from the data-format
attribute which contains both the function and the argument(s) that need to be performed on the Moment object.
It seems to me that by separating the content of what goes now in data-format
we can get rid pretty easily of the call to eval()
, these would be the changes to apply to the _render()
Python function:
- remove
data-format
- add a new
data-function
that would simply be the name of the function in string format (like "format", "fromNow" or "calendar") - add a new
data-argument
that would be the argument passed when the function isformat
,fromNow
, orfrom
(no need for arguments when the function iscalendar()
,valueOf()
orunix()
) - one last
data-from-timestamp
when the function is "from", since the call tofrom
needs a second attribute to indicate the first timestamp
Then in the JavaScript code that gets generated at the bottom of include_moment()
:
- call
moment($(elem).data('timestamp'))
to get the Moment representation of the timestamp - and then a Switch statement based on
$(elem).data('function')
that call the appropriate Moment JavaScript function with the$(elem).data('argument')
argument (and the extra second argument$(elem).data('from-timestamp')
when the function is "from"
from flask-moment.
Related Issues (20)
- Safari (13.0.2) doesn't seem to like sri=True HOT 7
- Fix for out of sync in flask-moment HOT 1
- How do I use format with refresh? HOT 2
- Problem using Flask-Moment in IE11 and Edge HOT 14
- AttributeError: 'str' object has no attribute ' HOT 4
- Request the js files to be retrieved over https from the CDN HOT 3
- Looking for Converted Value Only (not wrapped in span tag) HOT 2
- Apparently the CDN is giving 404 for the moment.js version in the package HOT 4
- Chart.js or playing nicely with others HOT 1
- Using ES6 intead of JQuery HOT 2
- can't call moment.include_moment() from within Python code HOT 1
- version 1.0.0 breaks import HOT 2
- High CPU load without refresh
- I keep getting errors trying to format a duration HOT 1
- Manually reload flask_moment_render_all when new content is loaded HOT 2
- DeprecationWarning: distutils Version classes are deprecated. Use packaging.version instead HOT 1
- ModuleNotFoundError: No module named 'packaging' HOT 1
- Question: is the moment object in the template not the same as the one created with the Flask app? HOT 2
- flask-moment doesn't seem to be rendering my time if I use jinja-partials HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flask-moment.