Svelte: {{{triples}}}

Created on 29 Nov 2016  ·  12Comments  ·  Source: sveltejs/svelte

We'll eventually need some way to inject arbitrary (sanitized? or is that the dev's responsibility?) HTML

picture Rich-Harris
👍4

Most helpful comment

I think sanitization should be the default. It's more often when you need sanitized output than not.

picture NekR on 30 Nov 2016
👍2

All 12 comments

I think sanitation is largely out of scope here. I'd say allow an optional hook to modify the resulting DOM before dropping it onto the page. If you wanted to make the dev's life a bit simpler, perhaps that hook could be for a visitor function called to filter each node down the resultant DOM tree.

evs-chris picture evs-chris on 29 Nov 2016

I think sanitation is largely out of scope here

👍 yeah, reflecting on it a bit I think you're right

Rich-Harris picture Rich-Harris on 30 Nov 2016

I think sanitization should be the default. It's more often when you need sanitized output than not.

NekR picture NekR on 30 Nov 2016
👍2

That definitely hasn't been my experience. The only time you need sanitisation is if you're rendering user input – every time I've used triples it's been to render e.g. a chunk of markdown that I wrote. Also, there are different forms/levels of sanitisation, and you penalise the majority of users if you include all the sanitisation code for everyone who uses triples.

Rich-Harris picture Rich-Harris on 30 Nov 2016
👍1

@Rich-Harris I don't really know how write apps, maybe you always work with people who don't make mistakes, but from my experience people always do and keep forgetting to use the syntax with sanitization. So even if that's only for user's input, it totally makes sense to have sanitization by default.

I don't mean triples here actually, I mean default interpolation syntax should sanitize and have a syntax to explicitly bypass it.

P.S. "should" in an ideal template engine (or whatever with templates) for me. Not that I'm telling to you what you should do or not :-)

NekR picture NekR on 30 Nov 2016

@NekR the regular interpolators only create text nodes, so there's really nothing to sanitize there. If you _want_ to drop html into the template from a string, you would have to use a triple.

evs-chris picture evs-chris on 30 Nov 2016

@evs-chris I see. That makes sense and that's exactly what I meant. Sorry for misunderstanding.

NekR picture NekR on 30 Nov 2016

P.S. "should" in an ideal template engine (or whatever with templates) for me

Makes me think maybe browsers should be responsible for that – maybe a new API, e.g. as well as node.innerHTML = something there should be a node.safeInnerHTML = something. That way you'd have a clearly defined spec determining what is considered 'safe' and what constitutes an XSS vector etc, no room for framework authors to bork things up. One day...

Rich-Harris picture Rich-Harris on 30 Nov 2016

@Rich-Harris Is Node.textContent what you're looking for?
https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent

PaulBGD picture PaulBGD on 1 Dec 2016

IE has toStaticHTML method, but it is non-standard...

azu picture azu on 1 Dec 2016

@PaulBGD textContent is what regular {{ }} mustaches do already, this thread is about inserting HTML, which textContent cannot do, and a magical safeInnerHTML could do safely.

jacobmischka picture jacobmischka on 2 Dec 2016
👍1

The way I implemented it in #124 btw is without sanitization. I think its the responsibility of the template author to do that, and it would be as simple as definiting a helper and calling {{{sanitize(rawHtml)}}}

Swatinem picture Swatinem on 5 Dec 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

AntoninBeaufort picture AntoninBeaufort  ·  3Comments
rob-balfre picture rob-balfre  ·  3Comments
sskyy picture sskyy  ·  3Comments
thoughtspile picture thoughtspile  ·  3Comments
Rich-Harris picture Rich-Harris  ·  3Comments