ComboBox - New methods + bullet proofing #479
Conversation
mohsinhijazee
force-pushed
the
combobox-enhancements
branch
3 times, most recently
from
e6ea55b to
1664ee2
Compare
There was a problem hiding this comment.
@mohsinhijazee Hi!
Thank you for your work! Please read the comments left. Correct the PR according to the comments and push changes.
Best regards!
pnpm-lock.yaml
Outdated
There was a problem hiding this comment.
Please remove this file from the PR. We don't use PNPM.
package.json
Outdated
There was a problem hiding this comment.
Please focus on TS files (src/plugins/combobox/*.ts).
You can create a separate PR in which you will provide your vision of bundling. But again, we do not use PNPM.
Please remove this file from the PR.
There was a problem hiding this comment.
I don't have clear idea on bundling, I thought that maybe there's some off line step that only maintainers have or similar. I'll remove them.
index.d.ts
Outdated
There was a problem hiding this comment.
Please focus on TS files (src/plugins/combobox/*.ts). You should not generate output files on your side. Please remove this file from the PR.
preline.d.ts
Outdated
There was a problem hiding this comment.
Please focus on TS files (src/plugins/combobox/*.ts). You should not generate output files on your side. Please remove this file from the PR.
dist/combobox.d.ts
Outdated
There was a problem hiding this comment.
Please focus on TS files (src/plugins/combobox/*.ts). You should not generate output files on your side. Please remove this file from the PR.
src/index.ts
Outdated
There was a problem hiding this comment.
We fixed this issue through another PR request from another user. Please remove this file from PR.
src/plugins/select/index.ts
Outdated
There was a problem hiding this comment.
Please create a separate PR for the select. We will be grateful if you will separate PRs by making them separate for each plugin.
src/utils/index.ts
Outdated
There was a problem hiding this comment.
Please do not use this as a separate helper. This check can be done with the standard Array method Array.isArray
There was a problem hiding this comment.
Yes, that's kinda pointless. 😄
src/plugins/combobox/index.ts
Outdated
| @@ -13,12 +13,14 @@ import { | |||
| afterTransition, | |||
| htmlToElement, | |||
| isParentOrElementHidden, | |||
| isArray, | |||
There was a problem hiding this comment.
Please use Array.isArray instead.
src/plugins/combobox/index.ts
Outdated
| @@ -376,6 +396,12 @@ class HSComboBox extends HSBasePlugin<IComboBoxOptions> implements IComboBox { | |||
| } | |||
|
|
|||
| private jsonItemsRender(items: any) { | |||
|
|
|||
| // Bullet proofing. | |||
| if (!isArray(items)) { | |||
There was a problem hiding this comment.
Please use Array.isArray instead.
mohsinhijazee
force-pushed
the
combobox-enhancements
branch
from
1664ee2 to
cfe7ee6
Compare
Changes to the Combobox - Constructor does not rely on `window.$hsComboBoxCollection` being initalised. Thus users for bundlers (vite etc) don't have to load all of `preline.js` - Fixed an error about invalid nullish statement Public methods selectValue() and selectAttribute - selectedItem() returns elemnent that was selected - selectedValue() returns the value. - selectedAttr() returns the custom attribute. One option to the ComboBox options: - apiSearchQueryTransformer to allow transforming query before fetch package.json: Few watch commands and generation scripts added.
mohsinhijazee
force-pushed
the
combobox-enhancements
branch
from
cfe7ee6 to
c742d2c
Compare
|
@olegpix Thank you for your feedback! I have removed everything that was not relevant ( Also, about packaging and bundling, I think some scripts or steps should be documented within the |
Hi,
We'll check and approve your PR after the next update, now we are focused on some other tasks. |
|
Hey @mohsinhijazee - thanks a lot for the PR, we will try to include this PR in v2.7.0 update. Thanks! |
| private init() { | ||
| // So that not to dpeendon preloading whole library. |
| if (!query) return null; | ||
|
|
||
| if (typeof query === 'string') { | ||
| return eval(query) as QueryTransformer; |
There was a problem hiding this comment.
Hi @mohsinhijazee , thanks for corrections.
I noticed that you've added eval in the parseApiQueryTransformer method. eval is known to be a potential security risk, especially when handling dynamic inputs, as it can allow arbitrary code execution.
This raises some concerns on our side, as we strive to keep the codebase secure and avoid introducing vulnerabilities. Could you please explain why eval was necessary here and if there might be a safer alternative?
We need to ensure that all code changes are secure and well-justified, so your clarification would be appreciated.
Thanks.
There was a problem hiding this comment.
Yes, this eval is used so that the users of the component can utilise data-* attributes to setup the search function (transforming the query before it is sent to the server) without going to write further Javascript (and instantiating a control in pure JS) therefore this does not come from the user input per se, rather from the developer/user of the library and I believe this is a safe use case and can't be exploited because it is not linked to an input control that can be manipulated by the end users to change things around.
Even data attribute though dynamically can be changed, but that change won't trigger the eval because combobox would be initialised already.
Other alternative is to drop the ability of being able to supply a search function via data-* attributes which would result in a component that is less capable when used in typical HTML only scenarios.
This PR proposes few additions to the ComboBox.
I have tested this with SvelteKit and wrapped the Combox as a Svelte Component with full events and multiple instances of the component on the same page fetching data from difference sources so many copies/instances work seemlessly.
Few fixes/improvements:
window.$hsComboBoxCollectionbeing initialised. Thus users for bundlers (vite etc) don't have to load all ofpreline.js.Additions to the CombBox:
apiSearchQueryTransformerto allow transforming query beforefetch. This is required in case some APIs use more advanced filtering DSL such as Google's AIP-160 for examplefilter=prefix('name', 'sh') OR contains('lastName', 'sh')etc.selectedItem()returns elemnent that was selectedselectedValue()returns the value.selectedAttr(attr)returns the custom attribute.Few other changes to the package.json (required dependencies added, deprecated type definitions replaced with updated packages), few scripts/watch/commands and generation scripts added.
Don't have full context on design choices so some things might seem absurd and I am here to revise as per your feedback FYI @jahaganiev and @olegpix