Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ivy): elements properties should not be stringified #22683

Closed
wants to merge 1 commit into from
Closed

fix(ivy): elements properties should not be stringified #22683

wants to merge 1 commit into from

Conversation

marclaval
Copy link
Contributor

This PR fixes a regression introduced by #22540

@marclaval marclaval added action: review The PR is still awaiting reviews from at least one requested reviewer target: major This PR is targeted for the next major release comp: ivy labels Mar 9, 2018
@marclaval marclaval requested a review from mhevery March 9, 2018 17:31
mhevery
mhevery suggested changes Mar 9, 2018
View reviewed changes
packages/core/test/render3/instructions_spec.ts

t.update(() => elementProperty(0, 'hidden', false));
// The hidden property would be true if `false` was stringified into `"false"`.
expect((t.hostNode.native as HTMLElement).querySelector('div') !.hidden).toEqual(false);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't this allow someone to create `{toString:() => 'evel text'} and bypass sanitization?
Or is your argument that user can't do that only bad programing practice?
Or maybe we just skip sanatiazation for primitives and sanitizae evrything else?

packages/core/src/render3/instructions.ts Outdated
@@ -746,7 +746,7 @@ export function elementProperty<T>(
setInputsForProperty(dataValue, value);
markDirtyIfOnPush(node);
} else {
value = (sanitizer != null ? sanitizer(value) : stringify(value)) as any;
value = typeof value == 'string' && sanitizer != null ? (sanitizer(value) as any) : value;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would feel better if the check was typeof value !== 'number' && typeof value !== 'boolean' since we need to guard against {toString: () => 'evil text'}

@marclaval
Copy link
Contributor Author

Updated with the assumption that the compiler will only "inject" the sanitizer for properties that are not safe, PTAL

@mhevery mhevery added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Mar 12, 2018
@kara kara closed this in f95730b Mar 12, 2018
leo6104 pushed a commit to leo6104/angular that referenced this pull request Mar 25, 2018
@marclaval @leo6104
fix(ivy): elements properties should not be stringified (angular#22683)
5203048 
PR Close angular#22683
@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Sep 13, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mhevery mhevery mhevery approved these changes

Assignees
No one assigned
Labels
action: merge The PR is ready for merge by the caretaker cla: yes target: major This PR is targeted for the next major release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@marclaval @mhevery @googlebot