Angle bracket component with splattributes not correctly merging attributes #18232
Comments
|
I think this was fixed in 3.11. Mind upgrading? |
|
The repo that I linked to is actually using 3.11.1. 😬 |
|
Hmm, turns out this is indeed still a bug. This is specific to the |
|
What about the use case with the |
Sorry.. I'm no sure if I understand what you mean here |
|
The second part of my original post where I have this code: It seems that the |
|
There is no way to pass html attributes to the component helper at all, but that is a different issue/feature reauest |
|
Ok, I will make a new issue for that use case. |
Yeah, |
|
This is kind of a big bug? You can't use the The fact you can't do anything with attributes passed in makes this worse, it is basically impossible to use |
|
Can we potentially update the logic such that the merging happens before we assign any values at all? That way we can still assign |
|
We ran into this issue on our app too. Here is a twiddle repro. |
|
How do we upvote bugs? I have a feeling this one is going to cause all kinds of confusion pretty quickly. |
|
@sukima there is no upvoting mechanism. The solution to this bug is also not completely straightforward, as changing the timings of the merging might impact other use cases and attributes. |
Due to emberjs/ember.js#18232 we still support the attribute-argument in current 4.0 RCs, so remove the deprecation here to not cause folks to refactor to anything that will actually not work correctly.
Due to emberjs/ember.js#18232 we still support the attribute-argument in current 4.0 RCs, so remove the deprecation here to not cause folks to refactor to anything that will actually not work correctly.
|
Does this bug need tracking in the https://github.com/glimmerjs/glimmer-vm repo? I don't see a linked issue, but I guess this is a Glimmer VM problem since there was reference to some Glimmer commit above? |
|
Also hit this bug today, very confusing. If we aren't able to solve it quickly, maybe the docs could be updated to mention this button type exception and any potential workarounds |
|
We ran into this one today, too, but with a component wrapping an |
|
@rwjblue @chancancode Hi! Any updates on this one? Still see this issue on 3.20.0 |
|
This has come up on discord again. Not documented. No error. Just lucky if someone manages to find this thread or asks on discord and someone is around that knows the issue. |
|
I believe this fix should fix this issue: glimmerjs/glimmer-vm#1178 The PR is approved and everything, unsure why it didn't get merged. I'll review this week if no one else takes a look by then. |
|
@pzuraq Shouldn't this be open until Glimmer VM is updated in Ember itself? |
|
@jelhan it was autoclosed since the linked issue was merged, didn't notice that until now (thanks for reopening @rwjblue!). The hazards of cross-repo dependencies 😩 However that fix now has been merged in #19293 So I think we can officially close this! Please reopen if you still see this issue on Canary |
|
FYI - in case anyone is dealing with this currently - we had a nasty surprise when the This gave us a bit of a black eye as it caused a secondary wave of security concerns around using open-source platforms like Ember for mission-critical apps. We got everyone tucked back into bed, but this one was pretty challenging as it sailed through automated testing (since the login form tests didn't check if the input had type=pw, just that the form worked - we plugged that hole!). Good learning for us, but this issue probably deserves a call-out in all prior ember versions where it may have impact. |
|
Yep, this should never have been an issue in the first place and then ignored for 6 months after a casual acknowledgement that it was a real bug. Then ignored for almost a whole year before being merged (after it once again being ignored for the majority of the year until I commented again because someone on discord had this issue yet again). What this issue represents is bigger than the issue itself. There is so much mess left in Ember to stay backwards compatible but really it doesn't. |
|
@robclancy I was raising our experience only to indicate that there is at least one scenario (the one I identified) that has implications beyond a purely functional issue - i.e. security - and so that may raise a flag to folks on the docs side to splat something in somewhere to call this issue out on earlier versions. I do not find Ember anything less than extraordinary as a platform - yes it's imperfect, but technology itself is by definition the risk of choosing change and innovation over the status quo, and I find the balance of risks to be handled very well here. I wrote my first line of code in 1978 and have written over 2M since across some 50+ platforms, languages, and OS's, from assembly up to 4GLs and this is one of the best run I've seen, esp. given its budget! |
|
@robclancy FWIW, there were a number of procedural failures that led to the long delay for solving this bug as well, primarily:
This made the upgrade process very difficult. We did patch some changes to previous versions of the VM when necessary, but we tried to avoid it as much as possible because it was causing even more divergence, which was making it even more difficult to catch up. After finally landing the VM upgrade in 3.17, we spent several months fixing the ensuing regressions, and then several more months refactoring the VM itself, along with our processes surrounding VM changes and upgrades. We now have a policy of always integrating immediately when we make breaking changes, along with automated performance benchmarks to make sure we don't regress in the VM. A large portion of the internals of Ember have also been moved up into the VM, reducing duplication and complexity overall. The goal here is to make sure we never get into that type of situation again, and that bugfixes like these should generally be easy to implement and fix. We also were not aware that this bug could represent a security concern. That would have bumped it up the priority list significantly - we're always fixing bugs and issues, and this one was concerning but not the highest priority because it had workarounds and did not appear to be impacting many people compared to many other bugs (the bugs from the VM upgrades were breaking people's apps regularly). Thank you @DLiblik for bringing this to our attention! |
I so wish this sentimentality could extend beyond the walled garden and into the general consciousness of the industry at large. |
|
This issue is fixed in 3.25.*. For some reason, the changelog doesn't mention it https://github.com/emberjs/ember.js/blob/master/CHANGELOG.md. |
In my Ember 3.10 app, I have a button component that has
tageName: ''set, and then in the template, I'm using splattributes. I'm getting some unexpected behavior when I try to override the attributes.Below are some code snippets to explain it, but you can see it in detail in my repository here.
Here is my button component:
and template
If I use my button component by itself, the
data-test-idattribute is overriden correctly, but thetypeattribute is still using the component's default of "button":If I'm yielding it out with the
componenttemplate helper, it does not correctly override either of them:This doesn't seem correct to me. It seems that at least in the scenario where I'm using the component directly, it should override all of the attributes. The
componenthelper scenario might make sense if it's only passing component properties and not element attributes.The text was updated successfully, but these errors were encountered: