Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reject JS-y escapes in html strings. #242

Open
theengineear opened this issue Dec 22, 2024 · 5 comments
Open

Reject JS-y escapes in html strings. #242

theengineear opened this issue Dec 22, 2024 · 5 comments

Comments

@theengineear
Copy link
Collaborator

theengineear commented Dec 22, 2024

Any \-escaping is a JS-y thing — not an HTML-y thing per-se. For example, \n, \b, \t, etc. have no real meaning within html content (they’re just literal characters). Rather than allow a confusing mix of JS-isms and HTML-isms — we could just throw when we encounter such escapes.

const foo = 'this is okay\u2026'; // This is normal JS
const moo = 'this will not fail, but is not what you want…'; // This is HTML-in-JS.
const mar = 'sure, you do you…'; // Also JS-y
const bar = html`this is not okay\u2026`; // This is JS-in-HTML
const pip = html`more\nbad\nthings`; // Newline escapes are also JS-in-HTML
const yuk = html`\w\h\y\?`; // Not that you would do this, but this would be silly.
const baz = html`this is okay…`; // This is HTML-y
const zip = html`also okay…`; // This is HTML-y
const zap = html`also okay, for completeness…`; // Also HTML-y
const yap = html`also okay, you do you…` // Also HTML-y

Technically, this simply involves looking at the strings.raw array (a special, raw version of the strings array passed to a tagged template function). If you see any unescaped \ patterns (other than for a literal backtick or backslash), we reject that input.

@theengineear theengineear changed the title Reject JS-y unicode escapes in html strings. Reject JS-y escapes in html strings. Dec 28, 2024
@Osintedx
Copy link

Osintedx commented Jan 2, 2025

I agree with the idea of separating JS and HTML escapes for clarity. It’ll help avoid confusion and bugs.

A couple of things to consider:

Error Messages: It might be helpful to add clear error messages when throwing errors, so developers know exactly how to fix the issue (e.g., replace \u2026 with …).

Linting/Pre-commit: We could also add a linting rule or pre-commit hook to catch these errors earlier.

Edge Cases: Are there any situations where this might accidentally flag valid escapes? It could be useful to document these cases.

@klebba
Copy link
Collaborator

klebba commented Jan 2, 2025

Hi @Osintedx — thanks for your interest — can you share more about how you are using x-element in your projects?

@Osintedx
Copy link

Osintedx commented Jan 3, 2025

Hi @Osintedx — thanks for your interest — can you share more about how you are using x-element in your projects?

I’m using x-element to build lightweight, reusable custom elements for my projects. It’s great for:

Efficient Templating: Handling DOM updates and data binding.
Syncing Attributes & Properties: Keeping data consistent in interactive components.
Event Delegation: Managing events cleanly in complex UIs.
Reactive Systems: Observing and computing properties easily.

@klebba
Copy link
Collaborator

klebba commented Jan 6, 2025

@Osintedx what is your purpose?

@klebba
Copy link
Collaborator

klebba commented Jan 17, 2025

Why is it immoral to conceal when a LLM bot is masquerading as a real person?

LLM says:

Concealing the fact that a language model (LLM) bot is masquerading as a real person can be considered immoral for several reasons:

Deception: It involves deceiving individuals into believing they are interacting with a human, which violates principles of honesty and transparency. People have the right to know whether they are communicating with a human or a machine.

Informed Consent: Users should have the ability to make informed decisions about their interactions. Concealing the nature of the bot denies them the opportunity to consent to or opt out of the interaction.

Trust: Trust is a fundamental component of communication. Deception can erode trust not only in the specific interaction but also in broader contexts, such as trust in technology and digital communications.

Accountability: Human interactions come with expectations of accountability and responsibility. If a bot is masquerading as a person, it can lead to situations where accountability is unclear, especially if the bot provides misleading or harmful information.

Ethical Standards: Many ethical guidelines and standards for AI emphasize transparency and the importance of clearly identifying AI systems. Concealing a bot's identity goes against these established norms.

Potential Harm: Misleading users can lead to various harms, such as emotional distress, privacy violations, or the spread of misinformation. Users may share sensitive information or make decisions based on the false belief that they are interacting with a human.

Respect for Autonomy: Respecting individuals' autonomy involves allowing them to make choices based on accurate information. Deception undermines this autonomy by manipulating the context of the interaction.

Overall, transparency about the nature of AI systems is crucial to maintaining ethical standards in technology and ensuring respectful and fair interactions.

Bummer. Even the LLM fails to report that above all it is immoral to waste the time of real people, which is ultimately their most scarce resource

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants