plush icon indicating copy to clipboard operation
plush copied to clipboard

Published 20 hours ago verified publisher icon gobuffalo

Result of SECOND call to partial from r.JavaScript(...) will be escaped content!?

Open MaMrEzO opened this issue 5 years ago • 1 comments

As what described here Naming partial example, We able to use partial as below(One leve partial call): t1.html that use partial _t1.html:

<h1>Create New User</h1>

<%= partial("t1.html") %>

_t1.html:

<form action="/users">
<!-- form stuff here  -->
<form>

That will get us:

<h1>Create New User</h1>

<form action="/users">
<!-- form stuff here  -->
<form>

That's good, but what I`m try to do: t1.js

$("#app-content").replaceWith('<%= partial("t1.html") %>');

_t1.html:

<main class="app-content" id="app-content">
  <h1>Create New User</h1>
  <%= partial("person/_t1.form.html") %>
</main

_t1.form.html

<div> FORM? </div>

And in action (GO)(templateing and rendering with plush)

c.Render(200, r.JavaScript("t1.js")

get me somthing like this:

<main class="app-content" id="app-content">
  <h1>Create New User</h1>
  \x3Cdiv\x3E FORM? \x3C/div\x3E\u000A
</main>

AND what expected:

<main class="app-content" id="app-content">
  <h1>Create New User</h1>
<div> FORM? </div>
</main>

Did I missed something, or can be it done?

MaMrEzO avatar Jan 06 '20 08:01 MaMrEzO

Renderer JavaScript:

The new JavaScript renderer also has it’s own implementation of the partial function. This new implementation behaves almost the same as the original implementation, but is smart enough to know that if you are rendering an *.html file inside of a *.js file that it will need to be escaped properly, and so it does it for you.

But not much as described! Yes we are in a JS template, and partial calls here must be escaped, But another partial in HTML partials must be render with HTML ones not JavaScript...

MaMrEzO avatar Jan 07 '20 12:01 MaMrEzO

I am not 100% sure but the behavior described in the document was changed at v0.13.3 by https://github.com/gobuffalo/buffalo/pull/1433. There is not much description on the PR, but the PR removed the buffalo-specific helper function (link [1])

Basically, the policy on Javascript and/or HTML escaping is somewhat tricky since there is a trade-off between convenience and security concerns (such as script injection) even though the partial function is basically not for end-user content but for developers, so there are completely different opinions on the way to handle them.

You can also find related discussions or requests on the following issues or PRs:

  • https://github.com/gobuffalo/plush/issues/79#issuecomment-1236474367
  • https://github.com/gobuffalo/plush/pull/77
  • https://github.com/gobuffalo/plush/issues/99

[1] https://github.com/gobuffalo/buffalo/pull/1433/files#diff-b8d27da23a85850a0647363bbb0c79e915ffbe57d0720c296531e03427f820c3L53

sio4 avatar Sep 05 '22 09:09 sio4

Closing it, but please feel free to reopen it if you need more discussion on this or have any ideas.

sio4 avatar Sep 05 '22 11:09 sio4