Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize dynamic styles #403

Merged
merged 2 commits into from
Feb 7, 2018
Merged

Sanitize dynamic styles #403

merged 2 commits into from
Feb 7, 2018

Conversation

giuseppeg
Copy link
Collaborator

We are not going to sanitize dynamic props on the client when using CSSOM API since we don't inject dom/strings.

timneutkens
timneutkens reviewed Feb 6, 2018
View reviewed changes
src/stylesheet-registry.js Outdated
// Sanitize SSR-ed and client side (style tags) CSS.
// When using optimize for speed we don't need to sanitize
// because we are not inserting markup in the DOM.
if (!this._isBrowser || !this._optimizeForSpeed) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not in the browser? Just curious 🙏

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

document.createTextNode will do the job for us in browser 😉

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

!this._isBrowser == server side rendering

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indeed I can also remove the second !this._optimizeForSpeed. Client side code should be safe because of document.createTextNode (dev) and the CSS OM api not injecting DOM (prod)

@giuseppeg giuseppeg merged commit c5b3f67 into master Feb 7, 2018
@giuseppeg giuseppeg deleted the escape-style branch February 7, 2018 09:49
@giuseppeg
Copy link
Collaborator Author

@timneutkens just released 2.2.4 which includes this fix.

@timneutkens
Copy link
Member

@giuseppeg will upgrade in next 🙏

@timneutkens timneutkens mentioned this pull request Feb 7, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timneutkens timneutkens timneutkens left review comments

@a-ignatov-parc a-ignatov-parc a-ignatov-parc left review comments

@OlliV OlliV OlliV approved these changes

@nkzawa nkzawa Awaiting requested review from nkzawa

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@giuseppeg @timneutkens @a-ignatov-parc @OlliV