element-internals-polyfill icon indicating copy to clipboard operation
element-internals-polyfill copied to clipboard

Published 20 hours ago verified publisher icon calebdwilliams

Invalid elements allow trigger inline `submit` handlers and preact submit handlers

Open enjoythelive1 opened this issue 3 years ago • 3 comments

The issue is that these listeners are registered before the polyfill has time to register its own listener to stop the propagation of the submit event.

Here I include 3 reproductions:

  • Inline listener in the html: https://plnkr.co/edit/RMzepi3OuFHIfRu2
  • Inline listener, but programatically: https://plnkr.co/edit/kv5GKJpwUvG2c20q
  • Preact: https://jsitor.com/DwDrFShze

enjoythelive1 avatar Jul 28 '21 12:07 enjoythelive1

This is partially resolved in [email protected]. I'm afraid I don't know enough about how Preact handles the onSubmit event to know how to get around that particular issue.

@enjoythelive1, would you have any idea how to access that callback function (or know anyone who might)? I'm guessing it's in Preact's internals and we might be out of luck there.

calebdwilliams avatar Jul 30 '21 01:07 calebdwilliams

I think it has to do with how the vdom renders the components. The listeners to the form are attached before the polyfill can attach them, because the custom elements are instantiated after the form was instantiated with its own properties.

I think we need to catch the event before the target phase of it ('using capture'). Maybe a listener with useCapture=true at the root node of where the form is located. Having that one listener would intercept all submit events and be able to stop propagation ASAP. Even before the target fase, and that would also simplify the logic you used to store all the inline listeners of forms.

I would implement it my self, but I do't know my way around your test suite.

enjoythelive1 avatar Jul 30 '21 08:07 enjoythelive1

Yeah, that's exactly it. It looks like I'll have to patch document.createElement to get this to work properly (working example here). I'm not entirely sure I like this approach, but I'm still thinking about it.

calebdwilliams avatar Sep 12 '21 19:09 calebdwilliams

This issue is still a thing. Run this example (before fix) in Safari or overwrite the function isElementInternalsSupported.

function isElementInternalsSupported() { return false; }

This example shows that the submit event handlers added to the form programmatically can submit data even if the form is invalid.

To prevent this, we should listen to the submit events on the submit button and prevent default handling. This example (with fix) does precisely this. PR is coming.

sipris avatar Sep 12 '22 16:09 sipris

Should be fixed in [email protected]. Thanks @sipris!

calebdwilliams avatar Sep 15 '22 00:09 calebdwilliams