phlex icon indicating copy to clipboard operation
phlex copied to clipboard

Published 20 hours ago verified publisher icon phlex-ruby

Escape hatch to bypass Phlex HTML safety

Open joeldrapper opened this issue 1 year ago • 3 comments

@bradgessler recently brought up the need for this again, and suggested having a safe method that we can use to wrap any safe value.

div(onclick: safe("foo")) { "Foo" }
a(href: safe("javascript:bar")) { "Bar" }

I think this would work quite nicely. safe could return a Phlex::SafeValue, e.g.

def safe(value)
  Phlex::SafeValue.new(value)
end

And we can check for that when building attributes.

if Phlex::SafeValue === value
  ...
end

joeldrapper avatar May 15 '24 12:05 joeldrapper

Draft PR at https://github.com/phlex-ruby/phlex/pull/719

bradgessler avatar May 15 '24 18:05 bradgessler

What's the difference between unsafe_raw and this?

joelmoss avatar Jun 06 '24 09:06 joelmoss

You can't use unsafe raw around an attribute, you would need to write the whole element by hand.

joeldrapper avatar Jun 06 '24 10:06 joeldrapper