Comments (3)
StephanHoyer
commented on June 24, 2024
There is no special reason why this is escaped. Just thought it's invalid to not do so. Also I thought there is a security issue not escaping it.
I think at least the quotes have to be escaped.
from mithril-node-render.
codeclown
commented on June 24, 2024
Reading the HTML spec, it seems that any character is valid inside attribute values. I'm not sure if that means they should be escaped, though.
That being said, having unescaped double quotes is definitely not valid (assuming double quotes are used for wrapping the value). Somehow I don't like the idea of only escaping double quotes, it seems a bit... hacky. What do you think? Might be better to raise an exception in case of a double quote. In any case, allowing them unescaped by default is probably not a good idea. Escaping is probably most often the expected behaviour, even.
Having this as an option might be the way to go. Even better if it could be defined per element, e.g.
m('div', { id: m.trust('foobar') })
That seems to work okay in Mithril still. It's a bit hacky as well though, since it's not what m.trust was intended for. Introducing some other way (e.g. special properties) is probably a bad idea.
So, I guess my proposal would be to allow it as a universal option, something like this:
render(component, { escapeAttributeValues: false });
Would be great to hear the opinion of someone smarter than me.
from mithril-node-render.
StephanHoyer
commented on June 24, 2024
yep. feel free to implement it that way.
from mithril-node-render.
Related Issues (20)
- innerHTML does not render HOT 3
- mithril v 1.0 compatible? HOT 1
- Still depends on [email protected] HOT 1
- has an demo HOT 2
- Can you add a DEMO? HOT 1
- Your Gitter badge is currently failing to render correctly on your README.md
- Add support to render sync HOT 2
- Missing m.route.param on the server ... HOT 4
- rewrite everything in TypeScript HOT 3
- can't use es6 class component
- How can i use it with jsx ? HOT 3
- Move mithril to a peerDependency
- Make class component check better match how Mithril does it
- Switch from `co` to `async`/`await`
- Adapt docs to async/await
- Future-proofing HOT 5
- Mithril's `oninit` is synchronous
- PSA: I've added a bunch of default community health files org-wide HOT 2
- Error doc HOT 5
- why "onclick" can't work HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mithril-node-render.