Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Result of SECOND call to partial from r.JavaScript(...) will be escaped content!? #106

Closed
MaMrEzO opened this issue Jan 6, 2020 · 3 comments
Closed

Result of SECOND call to partial from r.JavaScript(...) will be escaped content!? #106

MaMrEzO opened this issue Jan 6, 2020 · 3 comments
Assignees
@sio4
Labels
wontfix This will not be worked on

Comments

@MaMrEzO
Copy link

MaMrEzO commented Jan 6, 2020

As what described here Naming partial example, We able to use partial as below(One leve partial call):
t1.html that use partial _t1.html:

<h1>Create New User</h1>

<%= partial("t1.html") %>

_t1.html:

<form action="/users">
<!-- form stuff here  -->
<form>

That will get us:

<h1>Create New User</h1>

<form action="/users">
<!-- form stuff here  -->
<form>

That's good, but what I`m try to do:
t1.js

$("#app-content").replaceWith('<%= partial("t1.html") %>');

_t1.html:

<main class="app-content" id="app-content">
  <h1>Create New User</h1>
  <%= partial("person/_t1.form.html") %>
</main

_t1.form.html

<div> FORM? </div>

And in action (GO)(templateing and rendering with plush)

c.Render(200, r.JavaScript("t1.js")

get me somthing like this:

<main class="app-content" id="app-content">
  <h1>Create New User</h1>
  \x3Cdiv\x3E FORM? \x3C/div\x3E\u000A
</main>

AND what expected:

<main class="app-content" id="app-content">
  <h1>Create New User</h1>
<div> FORM? </div>
</main>

Did I missed something, or can be it done?
@MaMrEzO
Copy link
Author

MaMrEzO commented Jan 7, 2020

Renderer JavaScript:

The new JavaScript renderer also has it’s own implementation of the partial function. This new implementation behaves almost the same as the original implementation, but is smart enough to know that if you are rendering an *.html file inside of a *.js file that it will need to be escaped properly, and so it does it for you.

But not much as described! Yes we are in a JS template, and partial calls here must be escaped, But another partial in HTML partials must be render with HTML ones not JavaScript...

@sio4
Copy link
Member

sio4 commented Sep 5, 2022

I am not 100% sure but the behavior described in the document was changed at v0.13.3 by gobuffalo/buffalo#1433. There is not much description on the PR, but the PR removed the buffalo-specific helper function (link [1])

Basically, the policy on Javascript and/or HTML escaping is somewhat tricky since there is a trade-off between convenience and security concerns (such as script injection) even though the partial function is basically not for end-user content but for developers, so there are completely different opinions on the way to handle them.

You can also find related discussions or requests on the following issues or PRs:

[1] https://github.com/gobuffalo/buffalo/pull/1433/files#diff-b8d27da23a85850a0647363bbb0c79e915ffbe57d0720c296531e03427f820c3L53

sio4 added a commit that referenced this issue Sep 5, 2022
@sio4
added test cases for #82 and #106
3a14a19
@sio4 sio4 mentioned this issue Sep 5, 2022
Merged
@sio4
Copy link
Member

sio4 commented Sep 5, 2022

Closing it, but please feel free to reopen it if you need more discussion on this or have any ideas.

@sio4 sio4 closed this as completed Sep 5, 2022
@sio4 sio4 self-assigned this Sep 5, 2022
@sio4 sio4 added the wontfix This will not be worked on label Sep 5, 2022
sio4 added a commit that referenced this issue Sep 5, 2022
@sio4
added test cases for #82 and #106
fee985f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sio4 sio4

Labels
wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sio4 @MaMrEzO