Where is Ember.Handlebars.Utils.escapeExpression in the @ember module system?
#16817
Comments
|
@peabnuts123 Have you found an answer yet? Did asking this on the ember community slack or forum help you get any answers to your question? I found some dialog on this post, https://medium.com/@bradleyscollins/how-does-one-access-ember-handlebars-utils-escapeexpression-ebbe33093186 |
|
No, I never did find a satisfactory answer, though I did not post in the Slack or Forum. I currently have the following in my component import Ember from 'ember';
const htmlEscape = Ember.Handlebars.Utils.escapeExpression;so that in the future I may import |
|
Yea, nice links - I had found the same thread in my travels. I think the idea for the future is to import it from import { htmlEscape } from "Handlebars";or similar. This has the unfortunate downside of relying on Handlebars to export these functionalities themselves via the module API, which I think we're just kind of "waiting on" at this point |
|
Trying to upgrade an addon to a more recent version of Ember I stumbled upon this issue. Since we cannot rely on global import Ember from 'ember';
const htmlEscape = Ember.Handlebars.Utils.escapeExpression; |
|
We need this. Right now you need to either/or:
@rwjblue said:
What about now? Something possible that I should know about? |
|
Is there a resolution on this? It feels like a quintessential util for people who need to process text. |
|
@rwjblue Any thoughts? :) |
|
Folks please see the comment that closed the related PR: After discussing with the core team today- we've decided to not move forward with this PR because Ember doesn't use it internally, and hasn't for quite some time now- it was always an artifact from Handlebars itself. The work for the module RFC removed non-Ember re-exports, and authors were advised to import what they need directly from any particular non-Ember module (e.g., rsvp or jQuery). This is still our position. If you feel like you still have a use case, please submit an RFC. |
|
I am happy with this position / this has been my understanding throughout this issue. If people find this issue in the future still wanting to access this function - you will need access it from the import Handlebars from 'handlebars';
import { htmlSafe } from '@ember/template';
let userInput = getUserInput(); // Something unsafe, e.g. user-controlled text
let escapedInput = Handlebars.Utils.escapeExpression(userInput); // Escape any HTML in this string so that it will render as <, & etc.
let alteredHtml = escapedInput.replace(/hello/g, '<span class="highlight">hello</span>'); // Add some HTML to the text
let safeHtml = htmlSafe(alteredHtml);
// safeHtml is now safe to render in the DOM |
So I understand this issue is 100% upstream. Out of curiosity, is there something similar'ish that can be done using only Ember utils? |
|
Something like this should work: // your-app/utils/misc.js
import { isHTMLSafe } from '@ember/template';
const ESCAPE = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": ''',
'`': '`',
'=': '=',
};
const BAD_CHARS = /[&<>"'`=]/g;
const POSSIBLE = /[&<>"'`=]/;
let escapeChar = function(chr) {
return ESCAPE[chr];
};
// borrowed from Handlebars.utils.escapeexpression
// https://github.com/emberjs/ember.js/pull/18791
let escapeExpression = function(string) {
if (typeof string !== 'string') {
// don't escape SafeStrings, since they're already safe
if (string && isHTMLSafe(string)) {
return string.toHTML(); // private API, since SafeString isn't public
} else if (string === null) {
return '';
} else if (!string) {
return String(string);
}
// Force a string conversion as this will be done by the append regardless and
// the regex test will do this transparently behind the scenes, causing issues if
// an object's to string has escaped characters in it.
string = String(string);
}
if (!POSSIBLE.test(string)) {
return string;
}
return string.replace(BAD_CHARS, escapeChar);
};
export { escapeExpression as escape }; |
|
What about using a dedicated package for this?
|
|
@kategengler Those are also good suggestions, but I don't think they interop with |
|
SafeString is a string marked as safe by the user, it doesn’t do any escaping itself, and it doesn’t have any expectations of what has been escaped, if anything. You can use any escaping library you like. As @MelSumner said, Ember doesn’t use any escaping functions internally anymore. |
|
@pzuraq Yeah, but wouldn't the escaping library need to know if a string is a safe-string or not? To know whether it should, or should not, escape them? And it seems to me like the SafeString class itself, plus the method This isn't a big problem + I don't mind using private APIs (or perhaps them not being private is my misunderstanding), but it seems to me like making them public would be helpful in the aforementioned regard. |
|
@sandstrom I don't think that the I'll double check to see about that. FWIW, there have also been discussions of having a new |
I'm sure OP knows this but for those reading along casually, I wouldn't recommend just swapping in sanitization libraries in place of escaping. Sanitization and escaping are two very different things that are often confused, because their end goal is similar (protecting against XSS and the like). Escaping should always be the first tool in your toolbox, because it is the safest - it simply prevents any HTML from being rendered, so if you're only trying to display text, escaping protects you from any injected HTML altogether. Sanitization is useful if you want to render some HTML but still do so relatively safely. It attempts to determine what HTML is "safe" and what is "not", and strip out the unsafe stuff. This is a much harder problem, and existing libraries are good at it, but if you don't need to render HTML at all, it's much simpler and safer to just escape all HTML and not worry about it. |
|
In spite of the name, |
|
Thanks, yeah I noticed that - it still only escapes disallowed tags, although as mentioned in the docs just above that you can set it to disallow all tags and effectively escape everything. But my main goal was to try to avoid folks skimming through, see "oh yay sanitize that sounds great" and drop those libraries into their project as a replacement, without understanding that it's not the same thing, and comes with different tradeoffs. |
This is unused elsewhere in the framework itself and is not public API, so it should be safe to remove. Additionally, since this is just a copy of the API from within Handlebars itself, users who want to use it should directly use Handlebars' (or some other library's) escaping library instead. See [the discussion at #16817][16817] for background. #16817
This is unused elsewhere in the framework itself and is not public API, so it should be safe to remove. Additionally, since this is just a copy of the API from within Handlebars itself, users who want to use it should directly use Handlebars' (or some other library's) escaping library instead. See [the discussion at #16817][16817] for background. [16817]: #16817
Similar to the last comment in #9874, how does one access
Ember.Handlebars.Utils.escapeExpressionin a modern way, without importing all ofember? I need to escape HTML in my app (because I am decorating some user-input with markup) before marking it ashtmlSafe()and can't find any way of doing so without writing my own escaping function or importing some kind of addon.The text was updated successfully, but these errors were encountered: