Comments (12)
I think sanitization should be the default. It's more often when you need sanitized output than not.
from svelte.
That definitely hasn't been my experience. The only time you need sanitisation is if you're rendering user input – every time I've used triples it's been to render e.g. a chunk of markdown that I wrote. Also, there are different forms/levels of sanitisation, and you penalise the majority of users if you include all the sanitisation code for everyone who uses triples.
from svelte.
I think sanitation is largely out of scope here. I'd say allow an optional hook to modify the resulting DOM before dropping it onto the page. If you wanted to make the dev's life a bit simpler, perhaps that hook could be for a visitor function called to filter each node down the resultant DOM tree.
from svelte.
P.S. "should" in an ideal template engine (or whatever with templates) for me
Makes me think maybe browsers should be responsible for that – maybe a new API, e.g. as well as node.innerHTML = something
there should be a node.safeInnerHTML = something
. That way you'd have a clearly defined spec determining what is considered 'safe' and what constitutes an XSS vector etc, no room for framework authors to bork things up. One day...
from svelte.
@PaulBGD textContent is what regular {{ }}
mustaches do already, this thread is about inserting HTML, which textContent cannot do, and a magical safeInnerHTML
could do safely.
from svelte.
I think sanitation is largely out of scope here
👍 yeah, reflecting on it a bit I think you're right
from svelte.
@Rich-Harris I don't really know how write apps, maybe you always work with people who don't make mistakes, but from my experience people always do and keep forgetting to use the syntax with sanitization. So even if that's only for user's input, it totally makes sense to have sanitization by default.
I don't mean triples here actually, I mean default interpolation syntax should sanitize and have a syntax to explicitly bypass it.
P.S. "should" in an ideal template engine (or whatever with templates) for me. Not that I'm telling to you what you should do or not :-)
from svelte.
@NekR the regular interpolators only create text nodes, so there's really nothing to sanitize there. If you want to drop html into the template from a string, you would have to use a triple.
from svelte.
@evs-chris I see. That makes sense and that's exactly what I meant. Sorry for misunderstanding.
from svelte.
@Rich-Harris Is Node.textContent
what you're looking for?
https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent
from svelte.
IE has toStaticHTML
method, but it is non-standard...
from svelte.
The way I implemented it in #124 btw is without sanitization. I think its the responsibility of the template author to do that, and it would be as simple as definiting a helper and calling {{{sanitize(rawHtml)}}}
from svelte.
Related Issues (20)
- Can we get a callback from $state? HOT 7
- Editing $$restProps fails silently
- Svelte 5: Store auto-subscription not working in .svelte.js|ts files HOT 9
- Svelte 5: `tick()` is not called HOT 2
- Svelte 5 incorrect order between $effect cleanup and bind:this can cause crashes and memory leaks HOT 2
- More granular `transition` modifiers HOT 2
- Svelte 5: Dynamically rendered string renders incorrectly on iOS WebKit if it contains a link HOT 10
- Svelte 5: $effect dependancy not tracked HOT 5
- Preprocess Svelte modules (or deprecate preprocessors?) HOT 6
- enhancement(custom element): make `tag` optional in customElement component options HOT 1
- Svelte5: Calling $derived multiple times HOT 8
- Svelte 5 not reacting to onclick HOT 1
- Error when appending hydration error to head. HOT 6
- Spreadable actions (aka. `use:` directives) HOT 1
- [Svelte 4] bind:this is undefined when running action of child until all children initialize
- Svelte 4 and 5 adds spaces between html elements when mounting components through JavaScript HOT 10
- Custom element props not changeable after assigned value inside component HOT 2
- Svelte automatically binding this to function exports of components HOT 3
- `bind:this` weird behavior HOT 5
- Expose reactivity primitives to users HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from svelte.