Implement a SafeValue wrapper for helper functions. #375
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
No user-facing documentation, and failing several tests; but I suspect this is because I don't understand how to set up the project's test-suite (I add a no-op `if/then`, and tests start failing. Something's obviously very strange here.)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Handlebars seems to provide a
SafeStringwrapper-type for helpers; with it, a helper can create string-y content that is known by the helper (i.e. implementation-code-side) to be ‘escape-safe.’This means that the template writer needs no knowledge of whether the
{{generate}}helper needs to be called with two brackets or three brackets. That's desirable, as having to maintainin that knowledge lessens separation of concerns. (Also, tell me you haven't forgotten at least a billion times, and used the wrong number of brackets due to forgetting which your helper expected? Best case, that forgetfulness will leave some content escaped and showing up to the client as HTML-source … and worst case, you've got an injection vulnerability 'cuz you used triple-brackets one time too often.)For my implementation approach, I decided upon a duck-typing approach: a helper or library need only wrap values into some sort of structure with an
unwrap()method, that returns a Mustache-friendly value; and then set asafeproperty to a truthy value on that structure. Everything else is ignored by my implementation.For convenience, I've provided a
mustache.SafeValueconstructor, to do exactly that. All told, with this patch, all a helper needs to do to prevent their content being escaped, even in double-brackets, is:I have one remaining concern with my approach: helpers, when telling mustache that their content is safe, become responsible for ensuring that it is safe. This means that a helper that's obtaining user-generated content from somewhere has to do its own escaping. That's not exactly world-shocking news or anything, but I'm suspicious that there's an elegant way to reduce the helper/library-writer needing to worry about that.
Feedback appreciated before a merge; this patch isn't quite ready yet.
(This is currently failing a ton of tests on my machine, despite the tiny footprint of the changes … but I'm fairly convinced that's an environmental issue, or due to me not understanding how to set up this project's test-suite. I've done some differentiation, and changes as simple as a noop
if/thenwere causing tests to fail. I have no idea why.)