Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reject JS-y escapes in html strings. #242

Open
theengineear opened this issue Dec 22, 2024 · 4 comments
Open

Reject JS-y escapes in html strings. #242

theengineear opened this issue Dec 22, 2024 · 4 comments

Comments

@theengineear
Copy link
Collaborator

theengineear commented Dec 22, 2024
edited
Loading

Any \-escaping is a JS-y thing — not an HTML-y thing per-se. For example, \n, \b, \t, etc. have no real meaning within html content (they’re just literal characters). Rather than allow a confusing mix of JS-isms and HTML-isms — we could just throw when we encounter such escapes.

const foo = 'this is okay\u2026'; // This is normal JS
const moo = 'this will not fail, but is not what you want…'; // This is HTML-in-JS.
const mar = 'sure, you do you…'; // Also JS-y
const bar = html`this is not okay\u2026`; // This is JS-in-HTML
const pip = html`more\nbad\nthings`; // Newline escapes are also JS-in-HTML
const yuk = html`\w\h\y\?`; // Not that you would do this, but this would be silly.
const baz = html`this is okay…`; // This is HTML-y
const zip = html`also okay…`; // This is HTML-y
const zap = html`also okay, for completeness…`; // Also HTML-y
const yap = html`also okay, you do you…` // Also HTML-y

Technically, this simply involves looking at the strings.raw array (a special, raw version of the strings array passed to a tagged template function). If you see any unescaped \ patterns (other than for a literal backtick or backslash), we reject that input.
@theengineear theengineear changed the title Reject JS-y unicode escapes in html strings. Reject JS-y escapes in html strings. Dec 28, 2024
@Osintedx
Copy link

Osintedx commented Jan 2, 2025

I agree with the idea of separating JS and HTML escapes for clarity. It’ll help avoid confusion and bugs.

A couple of things to consider:

Error Messages: It might be helpful to add clear error messages when throwing errors, so developers know exactly how to fix the issue (e.g., replace \u2026 with …).

Linting/Pre-commit: We could also add a linting rule or pre-commit hook to catch these errors earlier.

Edge Cases: Are there any situations where this might accidentally flag valid escapes? It could be useful to document these cases.

@klebba
Copy link
Collaborator

klebba commented Jan 2, 2025

Hi @Osintedx — thanks for your interest — can you share more about how you are using x-element in your projects?

@Osintedx
Copy link

Osintedx commented Jan 3, 2025

Hi @Osintedx — thanks for your interest — can you share more about how you are using x-element in your projects?

I’m using x-element to build lightweight, reusable custom elements for my projects. It’s great for:

Efficient Templating: Handling DOM updates and data binding.
Syncing Attributes & Properties: Keeping data consistent in interactive components.
Event Delegation: Managing events cleanly in complex UIs.
Reactive Systems: Observing and computing properties easily.

@klebba
Copy link
Collaborator

klebba commented Jan 6, 2025

@Osintedx what is your purpose?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@klebba @theengineear @Osintedx