{{{triples}}} about svelte HOT 12 CLOSED

I think sanitization should be the default. It's more often when you need sanitized output than not.

from svelte.

That definitely hasn't been my experience. The only time you need sanitisation is if you're rendering user input – every time I've used triples it's been to render e.g. a chunk of markdown that I wrote. Also, there are different forms/levels of sanitisation, and you penalise the majority of users if you include all the sanitisation code for everyone who uses triples.

from svelte.

I think sanitation is largely out of scope here. I'd say allow an optional hook to modify the resulting DOM before dropping it onto the page. If you wanted to make the dev's life a bit simpler, perhaps that hook could be for a visitor function called to filter each node down the resultant DOM tree.

from svelte.

P.S. "should" in an ideal template engine (or whatever with templates) for me

Makes me think maybe browsers should be responsible for that – maybe a new API, e.g. as well as node.innerHTML = something there should be a node.safeInnerHTML = something. That way you'd have a clearly defined spec determining what is considered 'safe' and what constitutes an XSS vector etc, no room for framework authors to bork things up. One day...

from svelte.

@PaulBGD textContent is what regular {{ }} mustaches do already, this thread is about inserting HTML, which textContent cannot do, and a magical safeInnerHTML could do safely.

from svelte.

I think sanitation is largely out of scope here

👍 yeah, reflecting on it a bit I think you're right

from svelte.

@Rich-Harris I don't really know how write apps, maybe you always work with people who don't make mistakes, but from my experience people always do and keep forgetting to use the syntax with sanitization. So even if that's only for user's input, it totally makes sense to have sanitization by default.

I don't mean triples here actually, I mean default interpolation syntax should sanitize and have a syntax to explicitly bypass it.

P.S. "should" in an ideal template engine (or whatever with templates) for me. Not that I'm telling to you what you should do or not :-)

from svelte.

@NekR the regular interpolators only create text nodes, so there's really nothing to sanitize there. If you want to drop html into the template from a string, you would have to use a triple.

from svelte.

@evs-chris I see. That makes sense and that's exactly what I meant. Sorry for misunderstanding.

from svelte.

@Rich-Harris Is Node.textContent what you're looking for?
https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent

from svelte.

IE has toStaticHTML method, but it is non-standard...

from svelte.

The way I implemented it in #124 btw is without sanitization. I think its the responsibility of the template author to do that, and it would be as simple as definiting a helper and calling {{{sanitize(rawHtml)}}}

from svelte.