Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

property "innerHTML" doesn't work #131

Closed
wildlyinaccurate opened this issue Aug 24, 2018 · 6 comments
Closed

property "innerHTML" doesn't work #131

wildlyinaccurate opened this issue Aug 24, 2018 · 6 comments

Comments

@wildlyinaccurate
Copy link

In elm-lang/virtual-dom@2.0.4, you could do the following:

node "div" [ property "innerHTML" (Json.string "This is the innerHTML property") ] []

and the output would be

<div>This is the innerHTML property</div>

However in elm/virtual-dom@1.0.0, this does not work and the output is just

<div></div>

I can see that this is on purpose. Is there an alternative way to set a node's innerHTML property? Something similar to React's dangerouslySetInnerHTML?
@wildlyinaccurate
Copy link
Author

Sorry, if I had played around for a minute longer I would have realised that Elm.Kernel.VirtualDom.property is available in userland!

@evancz
Copy link
Member

evancz commented Aug 24, 2018

Sorry, if I had played around for a minute longer I would have realised that Elm.Kernel.VirtualDom.property is available in userland!

What do you mean by this? There should not be a thing like dangerouslySetInnerHTML

@wildlyinaccurate
Copy link
Author

wildlyinaccurate commented Aug 24, 2018
edited

@evancz I mean that the following code sets the innerHTML property as I would expect:

node "div" [ Elm.Kernel.VirtualDom.property "innerHTML" (Json.string "This is the innerHTML property") ] []

This is a useful feature for me; I use it to insert HTML generated from Markdown into the page.

@rtfeldman
Copy link
Member

This is a useful feature for me

@wildlyinaccurate This is definitely not an intentional feature, but rather a recently discovered compiler bug, and I would strongly recommend against relying on it! Once the bug is fixed, that code will definitely stop working.

I've seen several people on Elm Slack who were previously using innerHTML and who have found other solutions that will continue working once this bug is fixed. I'd recommend asking in the #general channel what has worked for people!

@wildlyinaccurate
Copy link
Author

Thanks @rtfeldman. I discussed this with some of the folks in Slack, and it seems like the rationale behind this change is to prevent packages with potential XSS vulnerabilities from being published. Is that correct?

I think there's a balance to be struck between safety and developer friction. There are plenty of cases where it is perfectly safe to set innerHTML and the overhead of a custom element or an HTML parser is not appropriate.

Could we meet in the middle by creating a Elm.VirtualDom.dangerouslySetProperty function? This could be a "banned import" in a prepublish check.

@panthershark panthershark mentioned this issue Aug 29, 2018
Closed
@evancz
Copy link
Member

evancz commented Sep 12, 2018

We had a bunch of discussion about the tradeoffs in this thread elm/html#172. It addresses the specific concerns and recommendation you mention here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wildlyinaccurate @rtfeldman @evancz