-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alternative to dangerouslySetInnerHTML in block save
#421
Comments
A few ideas:
|
This could confuse block authors. If they're familiar with React, maybe they explicitly expect their content to be escaped and it won't be the case.$
Seems like a good idea to explore, though, it won't be possible to reuse elements from the |
Related: #419 (comment)
By default, React escapes string children, converting HTML tags to their encoded equivalents. On the web, this is considered a "good thing" in helping avoid unintentional cross-site scripting attacks. However, in the serialization step of converting a block to its string form, this complicates the block's
save
function where we need to be able to include raw HTML in the generated output to be saved forpost_content
. The block's save function is never truly rendered, only ever passed throughReactDOMServer.renderToStaticMarkup
to generate the composed content of the post. In order to include HTML in the serialized content, a developer must use the specialdangerouslySetInnerHTML
prop.What's the problem? It's not obvious that a developer would need to use
dangerouslySetInnerHTML
to include arbitrary markup in the saved post content. Additionally the property name is very intentional in its scariness, which is likely off-putting for our legitimate use-case.Why do we need it? We may consider exploring alternatives, but for the moment particularly the
Editable
(TinyMCE) component is affected by this in its value being reflected as raw HTML.The text was updated successfully, but these errors were encountered: