Document safety of handling user input (like JSX escaping)
Opened this issue · 7 comments
JSX provides automatic escaping which lets you put user input into JSX safely (and without thinking about it).
Does esx
provide this under the hood? I was unsure when looking through the ES6 template string examples so it would be helpful to document this in the readme.
yes it does - all inputs run through here https://github.com/esxjs/esx/blob/master/lib/escape.js
would love a PR for this if you're into it
I suggest also mentioning in the docs that it uses custom escaping code, rather than the official React escaping code (just for transparency).
no it's supposed to match the escape codes in React, that's why it's duplicated rather than just using escape-html
as mentioned here: https://github.com/esxjs/esx/blob/master/lib/escape.js#L3-L8
are you saying it doesn't? if so that should be fixed
are you saying it doesn't? if so that should be fixed
I just meant that the docs should mention how esx
uses its own escaping code rather than using the exact React escaping code. This is an important detail because a potential security bug that gets fixed upstream in React (in the future) would not make it into esx
unless it was manually copied over (if I understand correctly).
yes I see what you're saying. It corresponds exactly right now. It's terribly annoying that react didn't just use the escape-html module or release their own.
Would you be interested in making a PR?
yes I see what you're saying. It corresponds exactly right now. It's terribly annoying that react didn't just use the escape-html module or release their own.
I suggest filing an issue asking them to make it importable so you can at least call the same function.
Would you be interested in making a PR?
I can add it to my to-do list but I probably won't get to it any time soon.