From 93aeeb7a6316389f3bd4bbdb7a9ffc555677e719 Mon Sep 17 00:00:00 2001 From: bgw <29340584+bgwdotdev@users.noreply.github.com> Date: Thu, 25 Apr 2024 19:19:15 +0100 Subject: =?UTF-8?q?=F0=9F=94=80=20Escape=20attribute=20values=20when=20emi?= =?UTF-8?q?tting=20static=20HTML.=20(#113)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: add the escape function over custom attribute values * fix: update class and style attribute values to be escaped --- src/lustre/internals/vdom.gleam | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/lustre/internals/vdom.gleam b/src/lustre/internals/vdom.gleam index fc4a4a3..4930f80 100644 --- a/src/lustre/internals/vdom.gleam +++ b/src/lustre/internals/vdom.gleam @@ -282,10 +282,30 @@ fn attributes_to_string_builder( style, inner_html <> val, ) - Ok(#("class", val)) if class == "" -> #(html, val, style, inner_html) - Ok(#("class", val)) -> #(html, class <> " " <> val, style, inner_html) - Ok(#("style", val)) if style == "" -> #(html, class, val, inner_html) - Ok(#("style", val)) -> #(html, class, style <> " " <> val, inner_html) + Ok(#("class", val)) if class == "" -> #( + html, + escape("", val), + style, + inner_html, + ) + Ok(#("class", val)) -> #( + html, + class <> " " <> escape("", val), + style, + inner_html, + ) + Ok(#("style", val)) if style == "" -> #( + html, + class, + escape("", val), + inner_html, + ) + Ok(#("style", val)) -> #( + html, + class, + style <> " " <> escape("", val), + inner_html, + ) Ok(#(key, "")) -> #( string_builder.append(html, " " <> key), class, @@ -293,7 +313,10 @@ fn attributes_to_string_builder( inner_html, ) Ok(#(key, val)) -> #( - string_builder.append(html, " " <> key <> "=\"" <> val <> "\""), + string_builder.append( + html, + " " <> key <> "=\"" <> escape("", val) <> "\"", + ), class, style, inner_html, -- cgit v1.2.3