-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reject JS-y escapes in html strings. #242
Comments
I agree with the idea of separating JS and HTML escapes for clarity. It’ll help avoid confusion and bugs. A couple of things to consider: Error Messages: It might be helpful to add clear error messages when throwing errors, so developers know exactly how to fix the issue (e.g., replace \u2026 with …). Linting/Pre-commit: We could also add a linting rule or pre-commit hook to catch these errors earlier. Edge Cases: Are there any situations where this might accidentally flag valid escapes? It could be useful to document these cases. |
Hi @Osintedx — thanks for your interest — can you share more about how you are using |
I’m using x-element to build lightweight, reusable custom elements for my projects. It’s great for: Efficient Templating: Handling DOM updates and data binding. |
@Osintedx what is your purpose? |
LLM says:
Bummer. Even the LLM fails to report that above all it is immoral to waste the time of real people, which is ultimately their most scarce resource |
Any
\
-escaping is a JS-y thing — not an HTML-y thing per-se. For example,\n
,\b
,\t
, etc. have no real meaning within html content (they’re just literal characters). Rather than allow a confusing mix of JS-isms and HTML-isms — we could just throw when we encounter such escapes.Technically, this simply involves looking at the
strings.raw
array (a special, raw version of thestrings
array passed to a tagged template function). If you see any unescaped\
patterns (other than for a literal backtick or backslash), we reject that input.The text was updated successfully, but these errors were encountered: