-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix 8166 html tag validation #8176
base: master
Are you sure you want to change the base?
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @pmario just some minor points
if($tw.config.htmlUnsafeElements.indexOf(this.tag) !== -1) { | ||
this.tag = "safe-" + this.tag; | ||
} | ||
this.tag = $tw.utils.makeTagNameSafe(this.tag, "safe" + this.tag); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The original code here was attempting to sanitise the tag name provided by the user. This is in contrast to the behaviour of the helper function which is to fall back to a default if the provided tag name is not valid.
I think one approach or there other should be used consistently across the board. I'd favour the sanitising approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The logic does only sanitise the tag if it is not valid. That's exactly, what the new code does
@@ -200,7 +197,7 @@ FramedEngine.prototype.handleFocusEvent = function(event) { | |||
Handle a keydown event | |||
*/ | |||
FramedEngine.prototype.handleKeydownEvent = function(event) { | |||
if ($tw.keyboardManager.handleKeydownEvent(event, {onlyPriority: true})) { | |||
if($tw.keyboardManager.handleKeydownEvent(event, {onlyPriority: true})) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's quite a few whitespace changes in this PR that make it hard to follow. I'd welcome separate PRs to handle whitespace changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It think, they have been automatically changed by VSCode on file save because of the global eslint settings. This behaviour started for me as eslint was defined under devDependencies in package.json
exports.makeTagNameSafe = function(tag,defaultTag) { | ||
defaultTag = defaultTag || "SPAN"; | ||
// This implements a check for standard DOM elements: https://html.spec.whatwg.org/#syntax-tag-name | ||
// It does _not_ deal with Custom Elements: https://html.spec.whatwg.org/#valid-custom-element-name |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should allow for custom elements.
This PR fixes #8166
It adds a new function to
$tw.utils.makeTagNameSafe(tag, defaultTag)
It replaces all the hardcoded checks using
if(complex logic)
with a simple to read function call