WIP: remove unsafe script #201
Conversation
|
unsafe-script seemed like it definitely makes problems |
| """<unsafe-script style='display:none'> | ||
| WebIO.mount(this.previousSibling,""") | ||
| # NOTE: do NOT add space between </div> and <unsafe-script> | ||
| write(io, escapeHTML(sprint(s->jsexpr(s, x)))) |
There was a problem hiding this comment.
Why don't we need escapeHTML any more?
There was a problem hiding this comment.
things in a <script> tag get special treatment.. for example, & is actually JS syntax but & is not and will cause a parse error 🙃
I think I figured out how to fix the issue here.
|
It'd be great to get rid of |
| function encode_scripts(htmlstr::String) | ||
| # sometimes a </script> can be inside a string inside a string inside a string... | ||
| # we need to go deeper.... | ||
| replace(htmlstr, r"</(_*)script>" => x->replace(x, "/"=>"/_")) |
There was a problem hiding this comment.
@JobJob this hack was superb. But not ugly enough. 🤣
There was a problem hiding this comment.
So it will match anything like </script>, </_script>, </__script> and add another underscore...
There's sometimes code that will call setInnerHtml which will in turn call setInnerHtml etc, so you need to escape just enough.
|
Ok my failing example works now, but this doesn't work for the initial output... @manipulate for i=1:10
i
@manipulate for j=1:10
i,j
end
endIt might have to do with some code I edited in |
|
As a general comment, it's probably important to add extensive comments in the code explaining how the whole mechanism works, esp. wrt escaping and the various hacks, otherwise it's going to be an adventure the next time it needs to be updated! |
I'm having the following problem here:
@piever this situation arises with any simple
@manipulatelikeI'm didn't dig deep into why, but I feel like it probably shouldn't?
closes #200 when done