HTML: addChild() & addChildren()

Question

HTML: addChild() & addChildren()

dakur opened this issue 4 years ago · comments

dakur commented 4 years ago

▸ Is your feature request related to a problem? Please describe.

There is no intuitive way to nest element and nest them safely. I can use one of following methods:

Html::el('ul')->addHtml(Html::el('li'))
- the problem is, that addHtml()'s parameter accepts string as well which opens it for potential XSS issues
Html::el('ul')->create('li')
- safe one, but not much intuitive and requires a loop in case of nesting multiple elements into one parent

▸ Explain your intentions.

I suggest to create addChild(Html $child) and addChildren(Html[] $children) methods on Html objects. As it accepts only Html instances it is safe and its name also goes with industry standard.

▸ It's up to you to make a strong case to convince the project's developers of the merits of this feature.

I did above.

I can make a pull request if you agree on this proposal as well.

Jan Kuchař · Answer 1 · Tue May 26 2020 20:57:31 GMT+0800 (China Standard Time)

When passing Html object as an parameter there is no space for XSS. If you do not trust input, you can use ->addText() which also accepts Html. This means escaping for string and no escaping for passed Html object.

dakur · Answer 2 · Tue May 26 2020 21:11:18 GMT+0800 (China Standard Time)

@jkuchar My point is that if you pass a variable into addHtml(), you can not be sure if there is not an unsanitized string by mistake and as addHtml() does not typecheck it is IHtmlString you have potential XSS in there.

Jan Kuchař · Answer 3 · Tue May 26 2020 21:15:48 GMT+0800 (China Standard Time)

I still do not see a point. I you are calling ->addHtml(), you are adding – well – HTML, so it is up to programmer to check this.

dakur · Answer 4 · Tue May 26 2020 21:24:09 GMT+0800 (China Standard Time)

@jkuchar The point is that you want to use API which helps you to avoid working with unsafe content as much as possible. So if there is addHtml(IHtmlString $html), I would prefer it over addHtml(IHtmlString|string $html) so that I never by accident pass an unsafe string in there in future. And if I need to pass an unsafe string, I should have to call something like setDangerouslyInnerHtml in React – explicitely saying it is not safe.

As I do not want to make BCs, I do not propose to change the parameter type but create new method with strictly typed parameter.

But that is only part of the proposal. The second one is about nesting more children at once – addChildren() complement.