[vf] Adding support for parsing EL in script tags #284
Conversation
| <HTML_SCRIPT_CONTENT: (~[]) > | ||
| | <HTML_SCRIPT_END_TAG : "</script>" > : AfterTagState | ||
| <HTML_SCRIPT_END_TAG : "</script>" > : AfterTagState | ||
| | <EL_EXPRESSION_IN_SCRIPT: "{!" (<WHITESPACES>)? > : ElInScriptState |
There was a problem hiding this comment.
@sgorbaty I am curious, how does visualforce handle constructs such as {!function(){console.log("test");}();} which, even though ugly, are completely valid JS (prints "test", and evaluates to true).
I don't think we will ever be able to tell for sure if what we are parsing is actually EL or just more JS, but I wonder on the impact of not being able to tell them apart...
There was a problem hiding this comment.
Correct. The only way to solve this is to have a dedicated JS parser (Acorn/Aspree) added. I could do that but figured we should invest in PMD being able to switch parsers on the fly.
There was a problem hiding this comment.
@sgorbaty how would such parser solve this issue? {!myVar} could be either valid JS or valid EL... Even more with JS not needing to declare variables.
There was a problem hiding this comment.
@jsotuyod this is a parser for VF, not Javascript. :)
VF is a very opinionated platform, which treats {! } construct anywhere in code 100% of the time as EL; therefore, any javascript construct that looks like {!varName} would result in compilation error because there would be a missing property with that name.
There was a problem hiding this comment.
const myVar = "this is my JS var";
{!myVar} // always resolves to an Apex class property
There was a problem hiding this comment.
@sgorbaty awesome, that is what I was after! Being that way, then this grammar is correct 100% of the time identifying those as EL. This is the best scenario possible.
|
Thanks! This we included in PMD 5.6.0 and later. |
Added support to the parser to understand EL in script tags.
Also improved XSS detection logic.