-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(ivy): elements properties should not be stringified #22683
Conversation
|
||
t.update(() => elementProperty(0, 'hidden', false)); | ||
// The hidden property would be true if `false` was stringified into `"false"`. | ||
expect((t.hostNode.native as HTMLElement).querySelector('div') !.hidden).toEqual(false); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't this allow someone to create `{toString:() => 'evel text'} and bypass sanitization?
Or is your argument that user can't do that only bad programing practice?
Or maybe we just skip sanatiazation for primitives and sanitizae evrything else?
@@ -746,7 +746,7 @@ export function elementProperty<T>( | |||
setInputsForProperty(dataValue, value); | |||
markDirtyIfOnPush(node); | |||
} else { | |||
value = (sanitizer != null ? sanitizer(value) : stringify(value)) as any; | |||
value = typeof value == 'string' && sanitizer != null ? (sanitizer(value) as any) : value; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would feel better if the check was typeof value !== 'number' && typeof value !== 'boolean'
since we need to guard against {toString: () => 'evil text'}
a3d299c
to
bdadc66
Compare
Updated with the assumption that the compiler will only "inject" the sanitizer for properties that are not safe, PTAL |
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
This PR fixes a regression introduced by #22540