Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't console.log() in body #185

Closed
popovichN opened this issue Dec 11, 2016 · 5 comments
Closed

Can't console.log() in body #185

popovichN opened this issue Dec 11, 2016 · 5 comments
Labels
feature request
Milestone
ASAP

Comments

@popovichN
Copy link

Would be nice to be able to console.log() data properties within the html/body, like you can in Ractive. I.e. {{console.log(data)}}
@Rich-Harris
Copy link
Member

Yep, this is a useful debugging technique. Also, it's useful to be able to use certain other globals like Math so that you can do {{Math.round(someValue)}} and so on. Ractive and Vue both have a whitelist (here and here) of which globals you can use.

Something just occurred to me though – in Ractive, {{foo}} results in the empty string if foo is undefined. In Svelte, it actually prints undefined. Since console.log(...) returns undefined, you'd get the same result. Two options:

  • Deal with it (aka {{console.log(myValue) || ''}}, if you don't want to render undefined)
  • Add some special logic for dealing with console.* expressions

Either way we should do the global whitelisting thing

Rich-Harris added a commit that referenced this issue Dec 11, 2016
@Rich-Harris
allow whitelisted globals (#185)
c353aa2
@Rich-Harris Rich-Harris mentioned this issue Dec 11, 2016
Merged
@Rich-Harris Rich-Harris added this to the ASAP milestone Dec 11, 2016
@Ryuno-Ki
Copy link

I wonder what would happen if someone would overwrite a global … I know, it's bad style. But I can imagine this being an attack vector (for example distributed over an advertisement network …).

@Ryuno-Ki
Copy link

One way would be to compare to “builtins” of an iFrame (since it creates a new global context).

@Rich-Harris
Copy link
Member

I wonder what would happen if someone would overwrite a global … I know, it's bad style. But I can imagine this being an attack vector (for example distributed over an advertisement network …).

If an attacker is able to use that vector, I think you've already lost – you wouldn't be able to use any builtins. I don't think people should expect Svelte components to resist attacks that regular JS can't. Though it would be worth documenting that you can do this to at least prevent globals being reassigned after you've created the component:

<script>
  export default {
    helpers: {
      Math
    }
  };
</script>

@Ryuno-Ki
Copy link

Ah, right. This is currently possible as well. Haven't thought of that! Security is so hard … so many things to keep in mind …

Rich-Harris added a commit that referenced this issue Dec 15, 2016
@Rich-Harris
merge master -> gh-185
6444e8d
Rich-Harris added a commit that referenced this issue Dec 15, 2016
@Rich-Harris
Merge pull request #186 from sveltejs/gh-185
9e347f1 
allow whitelisted globals
@Conduitry Conduitry mentioned this issue Mar 4, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
ASAP
Development

No branches or pull requests
3 participants
@Rich-Harris @popovichN @Ryuno-Ki