Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: properly handle special characters in user-provided IDs (closes #4927, #5561) #5564

Merged
merged 4 commits into from Jul 21, 2020

Conversation

dietergeerts
Copy link
Contributor

@dietergeerts dietergeerts commented Jul 8, 2020

Describe the PR

Special characters are allowed in HTML5 (https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/id) but need to be escaped when used in a selector for usage in e.g. document.querySelector().

This PR makes sure to escape user-provided IDs (e.g. for <b-form-group> or a <b-tags-input>) when used with the select() util.

Closes #4927, #5561.

PR checklist

What kind of change does this PR introduce? (check at least one)

  • Bugfix (fixes a boo-boo in the code) - fix(...), requires a patch version update
  • Feature (adds a new feature to BootstrapVue) - feat(...), requires a minor version update
  • Enhancement (augments an existing feature) - feat(...), requires a minor version update
  • ARIA accessibility (fixes or improves ARIA accessibility) - fix(...), requires a patch or minor version update
  • Documentation update (improves documentation or typo fixes) - chore(docs), requires a patch version update
  • Other (please describe)

Does this PR introduce a breaking change? (check one)

  • No
  • Yes (please describe since breaking changes require a minor version update)

The PR fulfills these requirements:

  • It's submitted to the dev branch, not the master branch
  • When resolving a specific issue, it's referenced in the PR's title (i.e. [...] (fixes #xxx[,#xxx]), where "xxx" is the issue number)
  • It should address only one issue or feature. If adding multiple features or fixing a bug and adding a new feature, break them into separate PRs if at all possible.
  • The title should follow the Conventional Commits naming convention (i.e. fix(alert): not alerting during SSR render, docs(badge): update pill examples, chore(docs): fix typo in README, etc). This is very important, as the CHANGELOG is generated from these messages, and determines the next version type (patch or minor).

If new features/enhancement/fixes are added or changed:

  • Includes documentation updates
  • Includes component package.json meta section updates (prop, slot and event changes/updates)
  • Includes any needed TypeScript declaration file updates
  • New/updated tests are included and passing (required for new features and enhancements)
  • Existing test suites are passing
  • CodeCov for patch has met target (all changes/updates have been tested)
  • The changes have not impacted the functionality of other components or directives
  • ARIA Accessibility has been taken into consideration (Does it affect screen reader users or keyboard only users? Clickable items should be in the tab index, etc.)

If adding a new feature, or changing the functionality of an existing feature, the PR's
description above includes:

  • A convincing reason for adding this feature (to avoid wasting your time, it's best to open a suggestion issue first and wait for approval before working on it)

Special characters are allowed in HTML5 (https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/id) but need to be escaped when used in a selector for usage in e.g. "querySelector"

Refs bootstrap-vue#5561
@dietergeerts
Copy link
Contributor Author

dietergeerts commented Jul 8, 2020

I also would like to mention that for me, at first, it wasn't clear that when you use label-for, that the id on the input has to be provided. I though that the b-form-group would add this automatically. After reading the docs again, I see it's stated, but like a bit "hidden". I believe it would be beneficial to have it more prominent in the docs.

@codesandbox-ci
Copy link

codesandbox-ci bot commented Jul 8, 2020

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit 3879c5e:

Sandbox Source
BootstrapVue Starter Project Configuration

@codecov
Copy link

codecov bot commented Jul 8, 2020

Codecov Report

Merging #5564 into dev will not change coverage.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff            @@
##               dev     #5564   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          277       278    +1     
  Lines         9380      9409   +29     
  Branches      2497      2514   +17     
=========================================
+ Hits          9380      9409   +29     
Flag Coverage Δ
#unittests 100.00% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
src/components/form-group/form-group.js 100.00% <100.00%> (ø)
src/components/form-tags/form-tags.js 100.00% <100.00%> (ø)
src/utils/css-escape.js 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ec51ef0...3879c5e. Read the comment docs.

@dietergeerts
Copy link
Contributor Author

dietergeerts commented Jul 8, 2020

In the original post, I stated that CSS.escape should be used, but as it's experimental, and not supported by all browser supported by bootstrap-vue, I included a polyfill instead.

@Hiws Hiws added PR: Patch Requires patch version bump Type: Fix labels Jul 8, 2020
@jacobmllr95
Copy link
Member

jacobmllr95 commented Jul 15, 2020

@dietergeerts IMHO the escaping isn't wort it. Especially when we need to add an additional dependency.
Just make sure to only use IDs that are supported by .querySelector() out fo the box.

@dietergeerts
Copy link
Contributor Author

dietergeerts commented Jul 16, 2020

@jackmu95, like explained in the issue, we are not in control of the used id. The extra dependency was added because CSS.escape is still experimental and not supported by all browsers this library supports. So if this is not fixed, we'll be unable to use this library.

@jacobmllr95
Copy link
Member

jacobmllr95 commented Jul 16, 2020

@dietergeerts You have to make sure to assign a valid ID to the control of the <b-form-group> in the first place.
https://codesandbox.io/s/nifty-brook-kztwz?file=/App.vue

@dietergeerts
Copy link
Contributor Author

dietergeerts commented Jul 16, 2020

@dietergeerts You have to make sure to assign a valid ID to the control of the <b-form-group> in the first place.
https://codesandbox.io/s/nifty-brook-kztwz?file=/App.vue

Well /1547-3 for example is a valid id in HTML5, and one that we get from a 3rd party system as unique id to be used in our forms.

Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/id

@jacobmllr95 jacobmllr95 reopened this Jul 16, 2020
@jacobmllr95
Copy link
Member

jacobmllr95 commented Jul 16, 2020

@dietergeerts I will revisit this later today.

css.escape is a polyfill for CSS.escape and would cause side-effects.
I think we should create a util for this ourselves which borrows most of the code.

There are also other places we need to escape a user-provided ID.

@jacobmllr95 jacobmllr95 self-requested a review Jul 16, 2020
@jacobmllr95 jacobmllr95 added this to In progress in v2.16.0 via automation Jul 16, 2020
@jacobmllr95 jacobmllr95 changed the title fix(b-form-group): make it work for ids with special characters like "/" (fixes #5561) fix: properly handle special characters in user-provided IDs (closes #4927, #5561) Jul 21, 2020
@vercel
Copy link

vercel bot commented Jul 21, 2020

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/bootstrap-vue/bootstrap-vue/ctlihtqim
Preview: https://bootstrap-vue-git-fork-dietergeerts-dev.bootstrap-vue.vercel.app

@jacobmllr95 jacobmllr95 merged commit 1fabd68 into bootstrap-vue:dev Jul 21, 2020
14 checks passed
v2.16.0 automation moved this from In progress to Done Jul 21, 2020
@jacobmllr95
Copy link
Member

jacobmllr95 commented Jul 21, 2020

Thanks @dietergeerts!

@jacobmllr95 jacobmllr95 removed their request for review Jul 21, 2020
@dietergeerts
Copy link
Contributor Author

dietergeerts commented Jul 27, 2020

@jackmu95 , thx for finishing up and having it merged. Is there any schedule when releases are made? (just wondering, as I see a github-project with the version tag where all is in done column, and as all is like very well automated, I assumed it would have been released already)

jacobmllr95 added a commit that referenced this issue Jul 28, 2020
* chore(deps): update all non-major dependencies (#5430)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* fix(b-form-checkbox-group): only emit `input` when value loosely changes (#5432)

* fix(b-form-checkbox-group, b-form-radio-group): only emit `input` when value loosely changes

* Update loose-equal.js

* Update form-checkbox-group.spec.js

* chore(deps): update all non-major dependencies (#5440)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update devdependency vue-router to ^3.3.0 (#5443)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update all non-major dependencies (#5445)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update devdependency rollup to ^2.11.2 (#5446)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore: Change Bootstrap v4.3.x to 4.5.x in README (#5447)

Since v2.15 Bootstrap-Vue supports Bootstrap v4.5

* chore(deps): update all non-major dependencies (#5451)

* chore(deps): update all non-major dependencies

* Use `toBeEmptyDomElement()` instead of deprecated `toBeEmpty()`

* Correct typo

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* chore(deps): update devdependency vue-router to ^3.3.2 (#5454)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): remove unused `gh-pages` dependency (#5455)

* chore(deps): update devdependency gh-pages to v3

* Remove `gh-pages` dependency

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* chore(deps): update all non-major dependencies (#5458)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* Update all bootstrap doc links to latest version (#5450)

Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* chore(deps): update devdependency rollup to ^2.12.1 (#5463)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update all non-major dependencies (#5466)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update devdependency @nuxtjs/sitemap to ^2.3.1 (#5468)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update devdependency lint-staged to ^10.2.9 (#5470)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(b-avatar): convert line endings to Unix (#5469)

Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* chore: convert all line endings to unix (#5474)

* chore(deps): update all non-major dependencies (#5478)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update all non-major dependencies (#5482)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update devdependency eslint-plugin-import to ^2.21.2 (#5487)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update devdependency @testing-library/jest-dom to ^5.10.0 (#5493)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update all non-major dependencies (#5495)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* first attempt (#5462)

Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* chore(deps): update all non-major dependencies (#5499)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update devdependency eslint-plugin-prettier to ^3.1.4 (#5501)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update devdependency @nuxtjs/sitemap to ^2.3.2 (#5503)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update devdependency terser to ^4.8.0 (#5505)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update all non-major dependencies (#5508)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(docs): fix typo in sidebar README (#5494) (#5510)

* chore: update auto format config (#5526)

* chore(deps): update all non-major dependencies (#5511)

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* chore(deps): update all non-major dependencies (#5531)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* fix typo (#5534)

* remove mention of `router-tag` from button docs (#5535)

Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* fix(b-table): prevent endless reevaluation when using v-model and object/array literal prop values (#5554)

* Update devDependency sass-loader to v9 (#5546)

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* fix(b-img): Allow empty `alt` prop (fixes #5524) (#5545)

* Allow empty `alt`

* default to null to avoid check

* remove unused import

* add avatar support

* add test cases

* spelling

Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* chore(deps-dev): bump standard-version from 8.0.0 to 8.0.1 (#5576)

Bumps [standard-version](https://github.com/conventional-changelog/standard-version) from 8.0.0 to 8.0.1.
- [Release notes](https://github.com/conventional-changelog/standard-version/releases)
- [Changelog](https://github.com/conventional-changelog/standard-version/blob/master/CHANGELOG.md)
- [Commits](conventional-changelog/standard-version@v8.0.0...v8.0.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat(b-form-tags): add `ignoreInputFocusSelector` prop to make input focus behavior configurable (closes #5425) (#5429)

* fix(b-form-tags): fix input focus upon clicking on nested element

* Update form-tags.js

* Add `ignoreInputFocusSelector` prop

* Update form-tags.js

* Add comment and more selectors to ignoreInputFocusSelector in form-tags.js

Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* chore(deps): update all non-major dependencies (#5533)

* chore(deps): update all non-major dependencies

* Bump BundleWatch limits for new Bootstrap Icons

* Regenerate icon files

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* chore(docs): add an example to `<b-input-group>`'s using icons (#5537)

* Adding an example to input-groups using icons

* Update README.md

Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* chore(deps): update devdependency @nuxtjs/google-analytics to ^2.4.0 (#5583)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* fix(b-icon): use `aria-label` attribute instead of `alt` (#5581)

* fix(b-tags): replace spacing utility with static CSS (fixes #5523) (#5544)

* remove spacing utility

* use mt-auto for better centering

* update

* add new class to avoid issues with custom rendering

Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* chore(docs): improve icons page (#5579)

* feat(docs): improve icons page

* Actually use `bootstrapIconsCount` variable

* Move icon explorer to the bottom

* chore: regenerate `yarn.lock` (#5585)

* fix(b-form-tags): unit test (#5586)

* chore(deps): update devdependency rollup to ^2.22.0 (#5589)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update all non-major dependencies (#5590)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* feat(docs): launch themes page with first BootstrapVue theme (#5549)

* docs(footer): uncomment link for themes

* docs(header): uncomment link for themes

* docs(sidebar): uncomment link for themes

* docs(intro/README): uncomment link for themes

* docs(theming/README): uncomment link for themes

* feature(themes): add first Bootstrap Vue & Creative Tim theme

* style(themes): prettify themes files

* fix(themes): solve typo

* Use `@nuxt/content` for themes

* Update index.vue

* Update themes.vue

* Don't pin `@nuxt/content`

* Update themes.vue

* Update themes.vue

Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* fix: properly handle special characters in user-provided IDs (closes #4927, #5561) (#5564)

* fix(b-form-group): make it work for ids with special characters like "/"

Special characters are allowed in HTML5 (https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/id) but need to be escaped when used in a selector for usage in e.g. "querySelector"

Refs #5561

* Use own `cssEscape()` util + use/test everywhere needed

Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* chore(ci): update `actions/cache` to v2 (#5580)

* chore(ci): update `actions/cache` to v2

* Update test.yml

* Update test.yml

* fix(b-form-tags): unit tests

* Revert "fix(b-form-tags): unit tests"

This reverts commit 20ebc04.

* Split actions

* Run BundleWatch during build

* Update build.yml

* Revert "Update build.yml"

This reverts commit ed4ad3d.

* Update build.yml

* chore: replace `packagequality` badge with `codacy` in README (#5596)

* chore: replace `packagequality` badge with `codacy` in README

* Update README.md

* chore(deps): update devdependency rollup to ^2.22.2 (#5597)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update devdependency rollup to ^2.23.0 (#5603)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* remove redundant height declaration in .b-sidebar (#5606)

* chore(deps): update devdependency eslint-plugin-jest to ^23.18.2 (#5607)

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Jacob Müller <jacob.mueller.elz@gmail.com>

* chore(deps): update all non-major dependencies (#5609)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(docs): fix Bootstrap browser and devices link

* chore(ci): fix BundleWatch token name

* chore: add back `packagequality` badge to README

* chore: prettify

* chore: update contributors

* chore(deps): update devdependency eslint-plugin-jest to ^23.19.0 (#5611)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore: add script to generate release notes (#5612)

* chore: bump version to 2.16.0 and update changelog (#5614)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Troy Morehouse <troymore@nbnet.nb.ca>
Co-authored-by: TitanFighter <bear_ukraine@bigmir.net>
Co-authored-by: Hiws <rni@nova-c.dk>
Co-authored-by: Vitaly Slobodin <vitaly_slobodin@fastmail.com>
Co-authored-by: Sergey Skrynnikov <minotaar.hh@gmail.com>
Co-authored-by: James George <jamesgeorge998001@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Paweł Tatarczuk <paweltatarczuk@gmail.com>
Co-authored-by: Ivan Gonzalez <scratchmex@gmail.com>
Co-authored-by: Hiws <hiws@live.dk>
Co-authored-by: Nazare Emanuel-Ioan <emanuelioannazare@gmail.com>
Co-authored-by: Dieter Geerts <dieter@dworks.be>
Co-authored-by: michel milano <mmilano@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
PR: Patch Requires patch version bump Type: Fix
Projects
No open projects
v2.16.0
  
Done
3 participants