Emphasize style attribute binding should not be quoted

[balinterdi]

I've spent quite some time debugging this (see my blog post), and although the section in the guides is correct, I think others would benefit by having this emphasized.

[chancancode]

Seems like a bug

cc @wycats

[wycats]

@balinterdi This definitely seems like a bug. concat should do the escaping, and produce a safe string.

For what it's worth, the exact semantics of property vs. attribute are somewhat undefined at the moment, so I'm pretty nervous about having people depend on a side effect of property vs. attribute that provides even-less-defined safe string semantics.

[balinterdi]

Should I create a proper issue for this in the emberjs repo? I can include the example in the blog post (which I have also extracted to a gist).

[mixonic]

This is exactly the same example as a few paragraphs above. Perhaps you can just add test to one of those paragraphs making this more explicit? Repeating the code doesn't seem helpful.

[balinterdi]

True, I've moved that paragraph under the definition of the myStyle property and removed the duplicated template code snippet.

[mixonic]

This is definitely needed right now. We distrust anything that goes through concat, so anything quoted.

[balinterdi]

@mixonic I'm not sure I see what you mean, what is needed? Do you consider the quoted version triggering the warning a bug?

[mixonic]

@balinterdi sorry for the confusing note- I'm not sure I consider it a "bug". Two safe things, when combined, may be unsafe. However I'm sure we can do better in common cases like style="{{foo}}".

Regardless I'd like to merge this docs improvement. @balinterdi can you also change the JS part of the example to:

return Ember.String.htmlSafe("color: " + color);

instead of using the Handlebars namespace? If you do this I'll !

[balinterdi]

Thank you, just changed it to use Ember.String.htmlSafe, which I actually also prefer.

[mixonic]

Thanks @balinterdi