HTML: addChild() & addChildren()
dakur opened this issue · comments
▸ Is your feature request related to a problem? Please describe.
There is no intuitive way to nest element and nest them safely. I can use one of following methods:
Html::el('ul')->addHtml(Html::el('li'))
- the problem is, that
addHtml()
's parameter acceptsstring
as well which opens it for potential XSS issues
- the problem is, that
Html::el('ul')->create('li')
- safe one, but not much intuitive and requires a loop in case of nesting multiple elements into one parent
▸ Explain your intentions.
I suggest to create addChild(Html $child)
and addChildren(Html[] $children)
methods on Html
objects. As it accepts only Html
instances it is safe and its name also goes with industry standard.
▸ It's up to you to make a strong case to convince the project's developers of the merits of this feature.
I did above.
I can make a pull request if you agree on this proposal as well.
When passing Html object as an parameter there is no space for XSS. If you do not trust input, you can use ->addText()
which also accepts Html. This means escaping for string and no escaping for passed Html object.
@jkuchar My point is that if you pass a variable into addHtml()
, you can not be sure if there is not an unsanitized string
by mistake and as addHtml()
does not typecheck it is IHtmlString
you have potential XSS in there.
I still do not see a point. I you are calling ->addHtml()
, you are adding – well – HTML, so it is up to programmer to check this.
@jkuchar The point is that you want to use API which helps you to avoid working with unsafe content as much as possible. So if there is addHtml(IHtmlString $html)
, I would prefer it over addHtml(IHtmlString|string $html)
so that I never by accident pass an unsafe string in there in future. And if I need to pass an unsafe string, I should have to call something like setDangerouslyInnerHtml
in React – explicitely saying it is not safe.
As I do not want to make BCs, I do not propose to change the parameter type but create new method with strictly typed parameter.
But that is only part of the proposal. The second one is about nesting more children at once – addChildren()
complement.