Document safety of handling user input (like JSX escaping)

[kumar303]

JSX provides automatic escaping which lets you put user input into JSX safely (and without thinking about it).

Does esx provide this under the hood? I was unsure when looking through the ES6 template string examples so it would be helpful to document this in the readme.

[davidmarkclements]

yes it does - all inputs run through here https://github.com/esxjs/esx/blob/master/lib/escape.js

[davidmarkclements]

would love a PR for this if you're into it

[kumar303]

I suggest also mentioning in the docs that it uses custom escaping code, rather than the official React escaping code (just for transparency).

[davidmarkclements]

no it's supposed to match the escape codes in React, that's why it's duplicated rather than just using escape-html as mentioned here: https://github.com/esxjs/esx/blob/master/lib/escape.js#L3-L8

are you saying it doesn't? if so that should be fixed

[kumar303]

are you saying it doesn't? if so that should be fixed

I just meant that the docs should mention how esx uses its own escaping code rather than using the exact React escaping code. This is an important detail because a potential security bug that gets fixed upstream in React (in the future) would not make it into esx unless it was manually copied over (if I understand correctly).

[davidmarkclements]

yes I see what you're saying. It corresponds exactly right now. It's terribly annoying that react didn't just use the escape-html module or release their own.

Would you be interested in making a PR?

[kumar303]

yes I see what you're saying. It corresponds exactly right now. It's terribly annoying that react didn't just use the escape-html module or release their own.

I suggest filing an issue asking them to make it importable so you can at least call the same function.

Would you be interested in making a PR?

I can add it to my to-do list but I probably won't get to it any time soon.