Add html_attr_relaxed escaping strategy
#4743
Conversation
mpdude
force-pushed
the
escape-attr-relaxed
branch
from
97bbe49 to
e641a34
Compare
| } | ||
|
|
||
| if (\in_array('html_attr', $bucket['value'], true)) { | ||
| if (\in_array('html_attr', $bucket['value'], true) || \in_array('html_attr_relaxed', $bucket['value'], true)) { |
There was a problem hiding this comment.
html_attr should be considered safe for both html and html_attr_relaxed (while html_attr_relaxed should be safe for html)
There was a problem hiding this comment.
and this behavior needs to have regression tests covering the cases related to html_attr_relaxed to ensure future changes don't break it.
There was a problem hiding this comment.
TBH, I did not understand what this code was doing in the first place, so I will need to 👀
There was a problem hiding this comment.
What this code was doing is saying that if the expression is safe for html_attr (determined by the in_array check), it should also be marked as safe for html (by adding html in the value). This is because the html_attr escaping is a superset of the html escaping.
|
@fabpot WDYT, would you endorse such an additional strategy? |
2 participants
This adds
html_attr_relaxed, a relaxed variant of thehtml_attrescaping strategy. The difference is thathtml_attr_relaxeddoes not escape the:,@,[and]characters. These are used by some front-end frameworks in attribute names to wire special handling/value binding. See https://v2.vuejs.org/v2/guide/syntax.html#v-bind-Shorthand for an example.The HTML 5 spec does not exclude all those characters from attribute names (html.spec.whatwg.org/multipage/syntax.html#attributes-2).
However, at least XML processors will treat the colon as the XML namespace separator.
HTML 5 allows XML only on SVG and MathML elements, and only for pre-defined namespace-prefixes (developer.mozilla.org/en-US/docs/Web/API/Attr/localName#:~:text=That means that the local,different from the qualified name). For other something: prefixes, these will simply be passed on as part of the local attribute name.
According to engine.sygnal.com/research/html5-attribute-names, all current browser implementations handle at least the colon fine, and the aforementioned Vue.js documentation suggests that this is also the case for @.
Note also that Symfony UX only conditionally escapes attribute names, and it has
:and@in its safe list:https://github.com/symfony/ux/blob/c9a3e66b8ac53e870097e8a828913e57204398e7/src/TwigComponent/src/ComponentAttributes.php#L82
Closes #3614.