New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[react] Support anything with toString() (such as TrustedHTML) as input for dangerouslySetInnerHTML.
#60417
[react] Support anything with toString() (such as TrustedHTML) as input for dangerouslySetInnerHTML.
#60417
Conversation
|
@lgarron Thank you for submitting this PR! This is a live comment which I will keep updated. 1 package in this PRCode ReviewsBecause this is a widely-used package, a DT maintainer will need to review it before it can be merged. You can test the changes of this PR in the Playground. Status
Once every item on this list is checked, I'll ask you for permission to merge and publish the changes. InactiveThis PR has been inactive for 26 days — it is still unreviewed! Diagnostic Information: What the bot saw about this PR{
"type": "info",
"now": "-",
"pr_number": 60417,
"author": "lgarron",
"headCommitOid": "40151cd5c393ec6547475ef4557ef32950be3bda",
"mergeBaseOid": "b6a234377c5edea999fc23777189aad8cdf5d29f",
"lastPushDate": "2022-05-18T22:03:01.000Z",
"lastActivityDate": "2022-06-06T18:29:23.000Z",
"hasMergeConflict": false,
"isFirstContribution": false,
"tooManyFiles": false,
"hugeChange": false,
"popularityLevel": "Critical",
"pkgInfo": [
{
"name": "react",
"kind": "edit",
"files": [
{
"path": "types/react/index.d.ts",
"kind": "definition"
},
{
"path": "types/react/test/index.ts",
"kind": "test"
}
],
"owners": [
"johnnyreilly",
"bbenezech",
"pzavolinsky",
"ericanderson",
"DovydasNavickas",
"theruther4d",
"guilhermehubner",
"ferdaber",
"jrakotoharisoa",
"pascaloliv",
"hotell",
"franklixuefei",
"Jessidhia",
"saranshkataria",
"lukyth",
"eps1lon",
"zieka",
"dancerphil",
"dimitropoulos",
"disjukr",
"vhfmag",
"hellatan",
"priyanshurav"
],
"addedOwners": [],
"deletedOwners": [],
"popularityLevel": "Critical"
}
],
"reviews": [
{
"type": "stale",
"reviewer": "eps1lon",
"date": "2022-05-18T20:38:08.000Z",
"abbrOid": "1fc726a"
}
],
"mainBotCommentID": 1130507965,
"ciResult": "pass"
} |
|
🔔 @johnnyreilly @bbenezech @pzavolinsky @ericanderson @DovydasNavickas @theruther4d @guilhermehubner @ferdaber @jrakotoharisoa @pascaloliv @Hotell @franklixuefei @Jessidhia @saranshkataria @lukyth @eps1lon @zieka @dancerphil @dimitropoulos @disjukr @vhfmag @hellatan @priyanshurav — please review this PR in the next few days. Be sure to explicitly select |
e66461a
to
1fc726a
Compare
types/react/index.d.ts
Outdated
| @@ -38,6 +38,7 @@ | |||
| import * as CSS from 'csstype'; | |||
| import * as PropTypes from 'prop-types'; | |||
| import { Interaction as SchedulerInteraction } from 'scheduler/tracing'; | |||
| import 'trusted-types'; | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should rather use the same approach we do with the dom related stuff: use an empty interface for TrustedHTML and let users take care of the proper type. We shouldn't use the polyfill directly here.
For more guidance check how we test the other DOM interfaces.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, thanks, I thought trusted-types were the global types to be used. microsoft/TypeScript-DOM-lib-generator#1246 is stalled, so they're not available globally yet. I'll try to take a look.
|
@lgarron One or more reviewers has requested changes. Please address their comments. I'll be back once they sign off or you've pushed new commits. Thank you! |
|
Also: Could you check in which version support for trusted types was added to React? |
|
I don't think React has actual support for trusted types yet. I think this only works incidentally now because So instead of accepting only |
From what I can tell, React passes the input to |
TrustedHTML as input for dangerouslySetInnerHTML.toString() (such as TrustedHTML) as input for dangerouslySetInnerHTML.
Looks like it: https://codesandbox.io/s/trustedhtml-kfxbhz
Nah, if it really is just assigned we should simply accept the same type as |
That certainly makes sense. If it makes sense to wait on that, would you have any advice for any TypeScript projects that want to pass |
|
@lgarron The CI build failed! Please review the logs for more information. Once you've pushed the fixes, the build will automatically re-run. Thanks! Note: builds which are failing do not end up on the list of PRs for the DT maintainers to review. |
a6f249a
to
40151cd
Compare
|
Inspecting the JavaScript source for this package found some properties that are not in the .d.ts files. react (unpkg)was missing the following properties:
|
|
@eps1lon Thank you for reviewing this PR! The author has pushed new commits since your last review. Could you take another look and submit a fresh review? |
Unfortunately module augmentation doesn't work for existing properties so all you can do is error suppression. |
Do I understand correctly that the best way forward is to advocate for microsoft/TypeScript-DOM-lib-generator#1246 to land, and to change |
Is there a good way to do this? It looks like types from |
Yep
I don't know. One difficulty is how this change will integrate into |
|
Re-ping @johnnyreilly, @bbenezech, @pzavolinsky, @ericanderson, @DovydasNavickas, @theruther4d, @guilhermehubner, @ferdaber, @jrakotoharisoa, @pascaloliv, @Hotell, @franklixuefei, @Jessidhia, @saranshkataria, @lukyth, @eps1lon, @zieka, @dancerphil, @dimitropoulos, @disjukr, @vhfmag, @hellatan, @priyanshurav: This PR has been out for over a week, yet I haven't seen any reviews. Could someone please give it some attention? Thanks! |
|
It has been more than two weeks and this PR still has no reviews. I'll bump it to the DT maintainer queue. Thank you for your patience, @lgarron. (Ping @johnnyreilly, @bbenezech, @pzavolinsky, @ericanderson, @DovydasNavickas, @theruther4d, @guilhermehubner, @ferdaber, @jrakotoharisoa, @pascaloliv, @Hotell, @franklixuefei, @Jessidhia, @saranshkataria, @lukyth, @eps1lon, @zieka, @dancerphil, @dimitropoulos, @disjukr, @vhfmag, @hellatan, @priyanshurav.) |
|
Alternate proposal #60691 |
npm test <package to test>.This change allows passing
TrustedHTMLtodangerouslySetInnerHTMLin React. React correctly passes this toinnerHTMLin a way that is compatible with CSP enforcement of the Trusted Types API. We are prototyping a use case for this inside the GitHub codebase.Since this is a nested property on an interface, I couldn't find a reasonable way to augment the
reactnamespace to support this inside a single project. So I thought I'd send this PR to see if we could consider marking the functionality in@types/reactdirectly.