New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When sniffing for exports, make sure exports is not an HTMLElement #35
Comments
I would prefer some other check besides sniffing more on the exports object. What about testing for |
You could end up with false positives due to require.js being present. |
The environment:
Currently, this errors because If Why would you prefer to avoid inspecting the |
If the UMD bundle is loaded first, requirejs has not been evaluated yet. It seems to me that by checking I would prefer some other check to exports.toString(), open to other ideas besides the require check. |
What about checking module as well? if (
typeof module === 'object'
&& !!module // guard against nulls since typeof null === 'object'
&& typeof module.exports === 'object'
&& !!exports // another null guard, if you're worried about this.
) { |
I like @chrisdickinson's original suggestion typeof exports === 'object' && 'exports.toString() === '[object Object]'
How about typeof exports === 'object' && exports.toString().indexOf('HTML') === -1 If exports is an element, |
@desandro Why is this preferable to checking |
@chrisdickinson typeof exports === 'object' && typeof exports.nodeName !== 'string' |
@jrburke would you have any opposition to us landing the change proposed by @girokon? https://twitter.com/mikesherov/status/612009844745347073 cc @mikesherov |
I agree with the twitter thread, for ones that use |
Why about
I would advise against using |
Please see https://github.com/umdjs/umd/pull/63/files and umdjs/umd#35 for more information, but this change prevents an HTML element with an id of `module` from cuasing the UMD shim to incorrectly detect the enivornment as node.
Please see umdjs/umd#63 and umdjs/umd#35 for more information, but this change prevents an HTML element with an id of `exports` from causing the UMD shim to incorrectly detect the environment as node.
Please see umdjs/umd#63 and umdjs/umd#35 for more information, but this change prevents an HTML element with an id of `exports` from causing the UMD shim to incorrectly detect the environment as node.
Wouldn't a check like this be more precise? typeof exports === 'object' && !/^\[object HTML.*?Element\]$/.test(Object.prototype.toString.call(exports)) It looks like all objects implementing the |
@jacksonrayhamilton, correct me if I'm wrong, the UMD shim is intended to wrap code that doesn't reference the export object internally. Furthermore, With that said, the exports and define checks are duck typing at its finest. The nodeName check prevents a false positive from browser global pollution. It's likely "good enough". Your solution prevents a situation in which your using node code that isn't UMD wrapped in a browser environment and also exports a nodeName property as a string. Unlikely. |
I'm curious though to see what @addyosmani thinks though. If users are reporting your issue @jacksonrayhamilton, or if this is just bikeshedding. What if someone reassigns the export object in their node code to an html element? the proposed solution is equally vulnerable. If a user isn't UMD wrapping all the code being bundled, it's all at risk regardless of whatever duck type checking you do. |
I think this would protect against that in all cases (except the case where that exported element is the element with the typeof exports === 'object' && (typeof document !== 'object' || document.getElementById('exports') !== exports) I also wonder whether this element |
The difference being that this exact scenario was happening to me and to at least one other person. I am happy to continue to think up more ways to make this more and more solid, however my personal preference is to leave alone until someone uncovers a real world situation your latest solution addresses that the current doesn't. |
The only problem about the last condition is that on earlier IE you are checking |
Otherwise HTML like so:
... can trip up the detection and trigger an exception by attempting to access
module.exports
, since elements with ids are automatically made globally available by their id value.if(typeof exports === 'object' && '' + exports === '[object Object]')
should fix this issue.The text was updated successfully, but these errors were encountered: