[ssr] Replace escape-html dependency with our own version #2346
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
🦋 Changeset detectedLatest commit: 9dc4372 The changes in this PR will be included in the next version bump. Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
📊 Tachometer Benchmark ResultsSummarynop-update
render
update
update-reflect
Resultslit-element-list
render
update
update-reflect
lit-html-kitchen-sink
render
update
nop-update
lit-html-repeat
render
update
lit-html-template-heavy
render
update
reactive-element-list
render
update
update-reflect
|
justinfagnani
approved these changes
Dec 8, 2021
| * Replaces characters which have special meaning in HTML (&<>"') with escaped | ||
| * HTML entities ("&", "<", etc.). | ||
| */ | ||
| export const escapeHtml = (str: string) => |
Collaborator
There was a problem hiding this comment.
Since we use this in quoted attribute value position can we double-check that this is the right escape algorithm for that? I seem to recall there are difference escape requirements in different contexts, but don't know exactly off the top of my head.
Member
Author
There was a problem hiding this comment.
Testing locally and some stack overflow posts seem to support this scheme. I do wonder why we need to quote anything except for & and ", though, since it seems that [<>'] should be safe inside an " attribute string.
Member
Author
There was a problem hiding this comment.
The spec isn't super precise about this, it seems
https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
Attribute values are a mixture of text and character references, except with the additional restriction that the text cannot contain an ambiguous ampersand.
The definition of text:
Text is allowed inside elements, attribute values, and comments. Extra constraints are placed on what is and what is not allowed in text based on where the text is to be put, as described in the other sections.
But maybe there's another part of the spec I should be looking at.
Collaborator
There was a problem hiding this comment.
It's ok. This keeps the current behavior. Just something that crossed my mind with your fallback renderer PR.
AndrewJakubowicz
approved these changes
Dec 8, 2021
Contributor
AndrewJakubowicz
left a comment
There was a problem hiding this comment.
Missing domain knowledge, but syntactically this LGTM!
Is this code in a tested path?
Comment on lines
+23
to
+24
| /[&<>"']/g, | ||
| (char) => replacements[char as keyof typeof replacements] |
Contributor
There was a problem hiding this comment.
This is really elegant.
Member
Author
Yep, it's in the code path of most rendering, so it's covered by most tests. Confirmed that breaking the implementation fails some tests. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
escape-htmlpackage is not an ES module, and it's a pretty trivial function to just write ourselves. See https://unpkg.com/browse/[email protected]/index.js for reference. This new implementation should have the exact same output.Advantages: getting rid of the only non-esm dependency helps with running SSR in deno and service-workers, and drops our dependency surface area and package size.
Fixes #1998