-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow splices in attribute names #445
base: main
Are you sure you want to change the base?
Conversation
794e60e
to
2c60c64
Compare
yup, I could use this too! |
I think customizable attributes should strip invalid characters from the attribute itself. For example, if I want to set some dynamic You might say that's an unlikely usecase, but it's all strings to maud, and from a security perspective once you allow strings you will get arbitrary uses of strings IMO. Maybe you want to allow enums or a certain kind of trait only? idk. |
Good call. I've implemented a very hacky solution to prevent XSS attacks, based on the HTML standard for attribute names. Ideally somebody else who's more familiar with Rust can propose a better fix, since this one is far from ideal. |
Render trait is used for other stringification purposes, and it calls into the escaper here: https://github.com/BadMannersXYZ/maud/blob/2c60c641814dc36be10b4e813528a07904aae200/maud/src/lib.rs#L113 So Display is not called for regular strings, which would make it faster. (formatting is slow, and in the case of rendering Maybe But this would be a breaking change on that trait. I don't know if it's worth it. I don't think there are many Render impls outside of maud, but not sure. If this is added to the trait and compat breakage needs to be avoided, I think this can somehow be made backwards-compatible by having Note: I'm not a maintainer, this is just a drive-by review as i saw your PR in the HTMX discord. Don't consider what I say as prescriptive. |
Given the nature of the attribute names as strings, it might make more sense to change the bound to |
One issue I found is dealing with empty attribute names. Unfortunately, I don't think that there's a way to verify these at compile time. There are two possibilities for a runtime check at Maud's level:
|
you could require that all use of dynamic attribute names is prefixed by a static string/ident. this is a strange limitation but it should work ok for HTMX usecases.
…On Thu, Oct 31, 2024, at 01:52, Bad Manners wrote:
One issue I found is dealing with empty attribute names. Unfortunately, I don't think that there's a way to verify these at compile time. There are two possibilities for a runtime check at Maud's level:
• Aliasing to a default attribute name, for example `0`, to avoid any issues; or
• Ignoring it and letting the browser handle the empty attribute name. This is the current implementation. In such cases, I tested Firefox and Chrome, and both seem to consider the `="value"` part to be the attribute name, which has an empty value.
—
Reply to this email directly, view it on GitHub <#445 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGMPROBTR5AOOSZNLEYHC3Z6F5LLAVCNFSM6AAAAABPAU5TT6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBYG43TMMBWGI>.
You are receiving this because you commented.Message ID: ***@***.***>
|
I see a few issues with that requirement:
|
Closes #444