-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pug-codegen: Abstract parts of the code generator that accumulate output #2958
Conversation
This consolidates code generator code that produces instructions to append content to the output and allows customizing it. This enables features like pugjs#2895 which distinguishes between strings definitely authored by the template author and those possibly controlled by an attacker to escape strings in context. This approach allows the same hooks to both handle idiomatic pug like ```pug a [href=x] ``` and inlne html like ```html <a href="#{x}"> ``` See also pugjs#2952
I'm not sure how broad the use case for this is. The reasons I've resisted adding these kinds of hooks to the pug compiler are:
It's tempting to accept this as a simple alternative, but I'm not sure how much (if anything) it adds that can't already be done some other way. For example, you could already transform the I'm not necessarily saying we should build this as that plugin (I think this should be a core feature), but I'm not sure this is the core API that's needed. |
If I were writing this with no concern to efficiency, I would define a buffer object to accumulate output like interface Buffer {
// Appends a string in the output language from a trusted source
appendStaticContent(content : string);
// Appends a value from an unknown source. If it is a string then
// it should be treated as plain text and not assumed to be a fragment
// of the output language.
appendDynamicValue(value : any);
} and tweak things so that a[href=x] Foo did something like outputBuffer.appendStaticContent('<a href="');
outputBuffer.appendDynamicValue(x);
outputBuffer.appendStaticContent('">');
outputBuffer.appendStaticContent('Foo');
outputBuffer.appendStaticContent('</a>'); This patch seeks to enable a buffer object like that but with easy coalescing of subsequent append statements while still allowing
If this were public, then any clients would need to migrate and/or do work to generate source map info correctly. If this were not exposed via
What kind of core API might enable the interface above? |
For You can use the preCodeGen step to walk the AST and for each element, check the attributes for any |
Sorry for not responding sooner. I think I understand what's needed, but haven't found time to work on it yet. I will try to get something done next week. |
I got pulled away by other things. I'm closing this now in favor of https://github.com/mikesamuel/pug-plugin-trusted-types |
This consolidates code generator code that produces instructions to
append content to the output and allows customizing it.
This enables features like #2895
which distinguishes between strings definitely authored by the
template author and those possibly controlled by an attacker to escape
strings in context.
This approach allows the same hooks to both handle idiomatic pug like
and inlne html like
See also #2952