bh icon indicating copy to clipboard operation
bh copied to clipboard

Published 20 hours ago verified publisher icon bem

What about escaping specific BEMJSON field, e.g. 'contentSafe'?

Open f0rmat1k opened this issue 8 years ago • 14 comments

Something like this: { block: 'button', contentSafe: '<script>alert('you shall not pass!')</script> }

f0rmat1k avatar Feb 15 '17 10:02 f0rmat1k

@f0rmat1k escaping or contentSafe? It’s opposite things. Escaping any fields means you don’t trust it’s value. But naming the field contentSafe we assume that its content is safe and it’s value should be output as is.

In BH you can use html field. See test: https://github.com/bem/bh/blob/master/test/test.html.js#L14

miripiruni avatar Feb 15 '17 10:02 miripiruni

Feels like it's the same as safe/unsafe to mark fields as "need escaping" and "does not need escaping" flags.

I like the way we do it in bem-xjst: { content: { html: '<script>alert(1);</script>' } } (same as safe: '<script>alert(1);</script>', but I'm agree that opposite will be useful too to not call escaping method directly.

qfox avatar Feb 15 '17 10:02 qfox

@miripiruni I just wanted to say, that now i have to escape handy any content

{
   content: escape('content')
}

Global option isn't useful. Maybe BH should really force escape content field? And do like react:

{
   dangerouslyContent: '<span>content</span>'
}

Anyway for me would be enough some field where i can insert content for escaping.

f0rmat1k avatar Feb 15 '17 10:02 f0rmat1k

@f0rmat1k I don't understand why option escapeContent:true doen't do what you want?

Yeti-or avatar Mar 17 '17 16:03 Yeti-or

@Yeti-or because it affects whole project

f0rmat1k avatar Mar 17 '17 18:03 f0rmat1k

Like that?

bh.match('*', function(ctx, json){
  if(json.dangerousContent) {
    json.content = bh.escape(json.dangerousContent)
  }
})

qfox avatar Mar 17 '17 18:03 qfox 

Bemjson = {
  content: [
    'this wont be escaped',
    { unsafe: true, content: [
      'But this will be escaped'
    ] }
  ]
}

And...

bh.match('*', function...
  if(json.unsafe) {
    ctx.unsafe = true
    res = ctx.applyBase()
    ctx.unsafe = false
    return res
  }

bh.match('*', function...
  if(ctx.unsafe) escape content manually

qfox avatar Mar 17 '17 19:03 qfox

react escaping affects whole project too

Yeti-or avatar Mar 17 '17 19:03 Yeti-or

@Yeti-or but react has dangerouslySetInnerHtml

f0rmat1k avatar Mar 18 '17 03:03 f0rmat1k

@f0rmat1k BH has content: { tag: false, html: ... } that works like dangerouslySetInnerHtml: ...

qfox avatar Mar 18 '17 12:03 qfox

@zxqfox So i will have to create .bh for every block (usually priv is enought for me). It isn't as simple as specific bemjson field. But thank you for advice.

f0rmat1k avatar Mar 18 '17 18:03 f0rmat1k

Можно реализовать компрометирующую логику через tParam: выставлять его для всех детей где-то на уровне блока, у которого есть шаблон. То есть компрометировать ветку в BEMJSON, а не узел.

mishanga avatar Mar 20 '17 07:03 mishanga

Оу, когда я писал про стх, я имел ввиду tParam для поддерева. Я поправлю сниппет

qfox avatar Mar 20 '17 12:03 qfox

Без tParam: https://goo.gl/JvaD4D Кажется, что так даже лучше. С tParam: ~https://goo.gl/sAFRbg~ https://goo.gl/RRU1nW

qfox avatar Mar 20 '17 18:03 qfox