-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add setHTMLUnsafe and parseHTMLUnsafe methods #9538
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks reasonable. A few comments inline, though I'd suggest it would be useful to get an HTML editor's opinion about the right way to do this integration. @domenic might have time?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, so the main remaining issue to be discussed do we want the template retargeting behavior, where templateEl.setHTMLUnsafe(string)
modifies templateEl.contents
instead of templateEl
directly?
I tend to say yes. Although it's a bit magical:
- There's really never a situation where you want to actually modify children of the template element itself.
- If we were different from
innerHTML
, that would probably be surprising. - If we don't add this, it's pretty difficult to update the template element's contents from a string.
The last one could be fixed, by adding setHTMLUnsafe()
to DocumentFragment
. (Then, templateEl.contents.setHTMLUnsafe()
would work.) That might be a good idea anyway; I feel like I've seen lots of threads asking for it? Edit: I found the thread I was thinking of and I remember why this is hard. You lose the potential context. Which was a big debate in the sanitizer API circles already. So, let's not couple that to this :).
To expand on "it's a bit magical", the downside is basically that templateEl.replaceChildren(foo)
or templateEl.appendChild(foo)
will change the template element's contents directly, so maybe templateEl.setHTMLUnsafe(foo)
should follow that pattern instead of following templateEl.innerHTML = foo
.
Hmm, related question: should this method also exist on ShadowRoot
, like innerHTML
does?
I tend to agree with you - I think
Seems like it really should. @josepharhar seems like something to add? |
I'd need to figure out how to make the "context" element in this algorithm also be a shadowroot: There is at least one spot that seems nontrivial to modify:
|
I think the best way to do that is:
|
Ok cool I wasn't sure if this was how it should work, thanks! I applied your suggestions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the declarative shadow tree PR be made ready for merge first? Currently this PR suggests some shared code paths that are meant to not be shared. I.e., DOMParser
and parseUnsafeHTML
will deal with declarative shadow trees differently.
Done |
I am speccing this here: whatwg/html#9538 Bug: 1478969 Change-Id: Ie55827cebdf349aadae13fbf1086baf6177bbff2
I am speccing this here: whatwg/html#9538 Bug: 1478969 Change-Id: Ie55827cebdf349aadae13fbf1086baf6177bbff2
I am speccing this here: whatwg/html#9538 Bug: 1478969 Change-Id: Ie55827cebdf349aadae13fbf1086baf6177bbff2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4824679 Reviewed-by: Mason Freed <[email protected]> Commit-Queue: Joey Arhar <[email protected]> Cr-Commit-Position: refs/heads/main@{#1210412}
I am speccing this here: whatwg/html#9538 Bug: 1478969 Change-Id: Ie55827cebdf349aadae13fbf1086baf6177bbff2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4824679 Reviewed-by: Mason Freed <[email protected]> Commit-Queue: Joey Arhar <[email protected]> Cr-Commit-Position: refs/heads/main@{#1210412}
I am speccing this here: whatwg/html#9538 Bug: 1478969 Change-Id: Ie55827cebdf349aadae13fbf1086baf6177bbff2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4824679 Reviewed-by: Mason Freed <[email protected]> Commit-Queue: Joey Arhar <[email protected]> Cr-Commit-Position: refs/heads/main@{#1210412}
…afe, a=testonly Automatic update from web-platform-tests Implement parseHTMLUnsafe and setHTMLUnsafe I am speccing this here: whatwg/html#9538 Bug: 1478969 Change-Id: Ie55827cebdf349aadae13fbf1086baf6177bbff2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4824679 Reviewed-by: Mason Freed <[email protected]> Commit-Queue: Joey Arhar <[email protected]> Cr-Commit-Position: refs/heads/main@{#1210412} -- wpt-commits: 17743f761d9f8bd3954bc68c60b88d251f9a2239 wpt-pr: 41704
…afe, a=testonly Automatic update from web-platform-tests Implement parseHTMLUnsafe and setHTMLUnsafe I am speccing this here: whatwg/html#9538 Bug: 1478969 Change-Id: Ie55827cebdf349aadae13fbf1086baf6177bbff2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4824679 Reviewed-by: Mason Freed <[email protected]> Commit-Queue: Joey Arhar <[email protected]> Cr-Commit-Position: refs/heads/main@{#1210412} -- wpt-commits: 17743f761d9f8bd3954bc68c60b88d251f9a2239 wpt-pr: 41704
…afe, a=testonly Automatic update from web-platform-tests Implement parseHTMLUnsafe and setHTMLUnsafe I am speccing this here: whatwg/html#9538 Bug: 1478969 Change-Id: Ie55827cebdf349aadae13fbf1086baf6177bbff2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4824679 Reviewed-by: Mason Freed <masonfchromium.org> Commit-Queue: Joey Arhar <jarharchromium.org> Cr-Commit-Position: refs/heads/main{#1210412} -- wpt-commits: 17743f761d9f8bd3954bc68c60b88d251f9a2239 wpt-pr: 41704 UltraBlame original commit: 27a50ba5472ea3cd6771918695f14558391747fd
…afe, a=testonly Automatic update from web-platform-tests Implement parseHTMLUnsafe and setHTMLUnsafe I am speccing this here: whatwg/html#9538 Bug: 1478969 Change-Id: Ie55827cebdf349aadae13fbf1086baf6177bbff2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4824679 Reviewed-by: Mason Freed <masonfchromium.org> Commit-Queue: Joey Arhar <jarharchromium.org> Cr-Commit-Position: refs/heads/main{#1210412} -- wpt-commits: 17743f761d9f8bd3954bc68c60b88d251f9a2239 wpt-pr: 41704 UltraBlame original commit: 27a50ba5472ea3cd6771918695f14558391747fd
…afe, a=testonly Automatic update from web-platform-tests Implement parseHTMLUnsafe and setHTMLUnsafe I am speccing this here: whatwg/html#9538 Bug: 1478969 Change-Id: Ie55827cebdf349aadae13fbf1086baf6177bbff2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4824679 Reviewed-by: Mason Freed <masonfchromium.org> Commit-Queue: Joey Arhar <jarharchromium.org> Cr-Commit-Position: refs/heads/main{#1210412} -- wpt-commits: 17743f761d9f8bd3954bc68c60b88d251f9a2239 wpt-pr: 41704 UltraBlame original commit: 27a50ba5472ea3cd6771918695f14558391747fd
Now that the HTML spec PR has been merged, we can remove the tentative from the filename: whatwg/html#9538 Change-Id: I3f73a4c8040828b8cbf0939ba7f8fac9addc1803
Now that the HTML spec PR has been merged, we can remove the tentative from the filename: whatwg/html#9538 Change-Id: I3f73a4c8040828b8cbf0939ba7f8fac9addc1803 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5059429 Commit-Queue: Joey Arhar <[email protected]> Reviewed-by: David Baron <[email protected]> Cr-Commit-Position: refs/heads/main@{#1229582}
Now that the HTML spec PR has been merged, we can remove the tentative from the filename: whatwg/html#9538 Change-Id: I3f73a4c8040828b8cbf0939ba7f8fac9addc1803 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5059429 Commit-Queue: Joey Arhar <[email protected]> Reviewed-by: David Baron <[email protected]> Cr-Commit-Position: refs/heads/main@{#1229582}
Now that the HTML spec PR has been merged, we can remove the tentative from the filename: whatwg/html#9538 Change-Id: I3f73a4c8040828b8cbf0939ba7f8fac9addc1803 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5059429 Commit-Queue: Joey Arhar <[email protected]> Reviewed-by: David Baron <[email protected]> Cr-Commit-Position: refs/heads/main@{#1229582}
…, a=testonly Automatic update from web-platform-tests Remove tentative from setHTMLUnsafe WPTs Now that the HTML spec PR has been merged, we can remove the tentative from the filename: whatwg/html#9538 Change-Id: I3f73a4c8040828b8cbf0939ba7f8fac9addc1803 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5059429 Commit-Queue: Joey Arhar <[email protected]> Reviewed-by: David Baron <[email protected]> Cr-Commit-Position: refs/heads/main@{#1229582} -- wpt-commits: 8219cf1619ccb622f8ae0d9e61ed273f80991124 wpt-pr: 43343
…, a=testonly Automatic update from web-platform-tests Remove tentative from setHTMLUnsafe WPTs Now that the HTML spec PR has been merged, we can remove the tentative from the filename: whatwg/html#9538 Change-Id: I3f73a4c8040828b8cbf0939ba7f8fac9addc1803 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5059429 Commit-Queue: Joey Arhar <[email protected]> Reviewed-by: David Baron <[email protected]> Cr-Commit-Position: refs/heads/main@{#1229582} -- wpt-commits: 8219cf1619ccb622f8ae0d9e61ed273f80991124 wpt-pr: 43343
…, a=testonly Automatic update from web-platform-tests Remove tentative from setHTMLUnsafe WPTs Now that the HTML spec PR has been merged, we can remove the tentative from the filename: whatwg/html#9538 Change-Id: I3f73a4c8040828b8cbf0939ba7f8fac9addc1803 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5059429 Commit-Queue: Joey Arhar <jarharchromium.org> Reviewed-by: David Baron <dbaronchromium.org> Cr-Commit-Position: refs/heads/main{#1229582} -- wpt-commits: 8219cf1619ccb622f8ae0d9e61ed273f80991124 wpt-pr: 43343 UltraBlame original commit: 046a9d44fcc7527faaceee93ab34b1851c1a5e5a
…, a=testonly Automatic update from web-platform-tests Remove tentative from setHTMLUnsafe WPTs Now that the HTML spec PR has been merged, we can remove the tentative from the filename: whatwg/html#9538 Change-Id: I3f73a4c8040828b8cbf0939ba7f8fac9addc1803 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5059429 Commit-Queue: Joey Arhar <jarharchromium.org> Reviewed-by: David Baron <dbaronchromium.org> Cr-Commit-Position: refs/heads/main{#1229582} -- wpt-commits: 8219cf1619ccb622f8ae0d9e61ed273f80991124 wpt-pr: 43343 UltraBlame original commit: 046a9d44fcc7527faaceee93ab34b1851c1a5e5a
…, a=testonly Automatic update from web-platform-tests Remove tentative from setHTMLUnsafe WPTs Now that the HTML spec PR has been merged, we can remove the tentative from the filename: whatwg/html#9538 Change-Id: I3f73a4c8040828b8cbf0939ba7f8fac9addc1803 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5059429 Commit-Queue: Joey Arhar <jarharchromium.org> Reviewed-by: David Baron <dbaronchromium.org> Cr-Commit-Position: refs/heads/main{#1229582} -- wpt-commits: 8219cf1619ccb622f8ae0d9e61ed273f80991124 wpt-pr: 43343 UltraBlame original commit: 046a9d44fcc7527faaceee93ab34b1851c1a5e5a
This adds the Element.prototype.setHTMLUnsafe and Document.parseHTMLUnsafe methods as described here: https://github.com/WICG/sanitizer-api/blob/main/explainer.md
(See WHATWG Working Mode: Changes for more details.)
/dom.html ( diff )
/dynamic-markup-insertion.html ( diff )
/index.html ( diff )