Skip to content
This repository has been archived by the owner on Sep 11, 2024. It is now read-only.

Escape placeholder before injecting it into the style #11607

Merged
merged 3 commits into from
Sep 19, 2023

Conversation

Johennes
Copy link
Contributor

@Johennes Johennes commented Sep 15, 2023

In particular this adds escaping for backslashes which was previously missing.


Here's what your changelog entry will look like:

🐛 Bug Fixes

  • Escape placeholder before injecting it into the style (#11607).

In particular this adds escaping for backslashes which was previously missing.
@Johennes Johennes added the T-Defect Bugs, crashes, hangs, vulnerabilities, or other reported problems label Sep 15, 2023
@Johennes Johennes requested a review from a team as a code owner September 15, 2023 14:40
@Johennes
Copy link
Contributor Author

Johennes commented Sep 15, 2023

I would have liked to add a specific test for this but was stuck on how to access the placeholder style in a test. If anyone has pointers on this, that would be appreciated.

Have added some tests now.

// escape single quotes
const placeholder = this.props.placeholder?.replace(/'/g, "\\'");
this.editorRef.current?.style.setProperty("--placeholder", `'${placeholder}'`);
this.editorRef.current?.style.setProperty("--placeholder", `'${CSS.escape(this.props.placeholder ?? "")}'`);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://developer.mozilla.org/en-US/docs/Web/API/CSS/escape_static says its intended for use for escaping selectors rather than values, are we sure its the right method to use here?

Copy link
Contributor Author

@Johennes Johennes Sep 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that's its primary use. The docs you linked also point at the possible use for escaping general strings:

The escape() method can also be used for escaping strings, although it escapes characters that don't strictly need to be escaped

The over-escaping didn't seem to hurt in my testing and I couldn't find anything better / easier.

I think the alternative would be to extend the custom escaping to also cover backslashes? If you think that's better, I could also try that. Just seemed more complicated and error prone at first sight.

Copy link
Member

@robintown robintown left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I remember coming across this some years ago when doing i18n stuff, so yay

@robintown robintown removed the request for review from andybalaam September 19, 2023 03:30
@Johennes Johennes added this pull request to the merge queue Sep 19, 2023
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Sep 19, 2023
@Johennes Johennes added this pull request to the merge queue Sep 19, 2023
Merged via the queue into develop with commit 3fbf38f Sep 19, 2023
19 checks passed
@Johennes Johennes deleted the johannes/escape-placeholder branch September 19, 2023 06:54
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Sep 30, 2023
Changes in [1.11.45](https://github.com/vector-im/element-web/releases/tag/v1.11.45) (2023-09-29)
=================================================================================================

## 🐛 Bug Fixes
 * Fix Emoji font on Safari 17 ([\#11673](matrix-org/matrix-react-sdk#11673)).

Changes in [1.11.44](https://github.com/vector-im/element-web/releases/tag/v1.11.44) (2023-09-26)
=================================================================================================

## ✨ Features
 * Make video & voice call buttons pin conference widget if unpinned ([\#11576](matrix-org/matrix-react-sdk#11576)). Fixes vector-im/customer-retainer#72.
 * OIDC: persist refresh token ([\#11249](matrix-org/matrix-react-sdk#11249)). Contributed by @kerryarchibald.
 * ElementR: Cross user verification ([\#11364](matrix-org/matrix-react-sdk#11364)). Fixes #25752. Contributed by @florianduros.
 * Default intentional mentions ([\#11602](matrix-org/matrix-react-sdk#11602)).
 * Notify users about denied access on ask-to-join  rooms ([\#11480](matrix-org/matrix-react-sdk#11480)). Contributed by @nurjinjafar.
 * Allow setting knock room directory visibility ([\#11529](matrix-org/matrix-react-sdk#11529)). Contributed by @charlynguyen.

## 🐛 Bug Fixes
 * Revert "Fix regression around FacePile with overflow (#11527)" ([\#11634](matrix-org/matrix-react-sdk#11634)). Fixes #26209.
 * Escape placeholder before injecting it into the style ([\#11607](matrix-org/matrix-react-sdk#11607)).
 * Move ViewUser action callback to RoomView ([\#11495](matrix-org/matrix-react-sdk#11495)). Fixes #26040.
 * Fix room timeline search toggling behaviour edge case ([\#11605](matrix-org/matrix-react-sdk#11605)). Fixes #26105.
 * Avoid rendering view-message link in RoomKnocksBar unnecessarily ([\#11598](matrix-org/matrix-react-sdk#11598)). Contributed by @charlynguyen.
 * Use knock rooms sync to reflect the knock state ([\#11596](matrix-org/matrix-react-sdk#11596)). Fixes #26043 and #26044. Contributed by @charlynguyen.
 * Fix avatar in right panel not using the correct font ([\#11593](matrix-org/matrix-react-sdk#11593)). Fixes #26061. Contributed by @MidhunSureshR.
 * Add waits in Spotlight Cypress tests, hoping this unflakes them ([\#11590](matrix-org/matrix-react-sdk#11590)). Fixes #26053, #26140 #26139 and #26138. Contributed by @andybalaam.
 * Fix vertical alignment of default avatar font ([\#11582](matrix-org/matrix-react-sdk#11582)). Fixes #26081.
 * Fix avatars in public room & space search being flex shrunk ([\#11580](matrix-org/matrix-react-sdk#11580)). Fixes #26133.
 * Fix EventTile avatars being rendered with a size of 0 instead of hidden ([\#11558](matrix-org/matrix-react-sdk#11558)). Fixes #26075.

Changes in [1.11.43](https://github.com/vector-im/element-web/releases/tag/v1.11.43) (2023-09-15)
=================================================================================================

(No changes - bumping the version number for an element-desktop release.)

Changes in [1.11.42](https://github.com/vector-im/element-web/releases/tag/v1.11.42) (2023-09-13)
=================================================================================================

## 🐛 Bug Fixes
 * Update Compound to fix Firefox-specific avatar regression ([\#11604](matrix-org/matrix-react-sdk#11604)). Fixes #26155.

Changes in [1.11.41](https://github.com/vector-im/element-web/releases/tag/v1.11.41) (2023-09-12)
=================================================================================================

## 🦖 Deprecations
 * Deprecate customisations in favour of Module API ([\#25736](element-hq/element-web#25736)). Fixes #25733.

## ✨ Features
 * Make SVGR icons use forward ref ([\#26082](element-hq/element-web#26082)).
 * Add support for rendering a custom wrapper around Element ([\#25537](element-hq/element-web#25537)). Contributed by @maheichyk.
 * Allow creating public knock rooms ([\#11481](matrix-org/matrix-react-sdk#11481)). Contributed by @charlynguyen.
 * Render custom images in reactions according to MSC4027 ([\#11087](matrix-org/matrix-react-sdk#11087)). Contributed by @sumnerevans.
 * Introduce room knocks bar ([\#11475](matrix-org/matrix-react-sdk#11475)). Contributed by @charlynguyen.
 * Room header UI updates ([\#11507](matrix-org/matrix-react-sdk#11507)). Fixes #25892.
 * Remove green "verified" bar for encrypted events ([\#11496](matrix-org/matrix-react-sdk#11496)).
 * Update member count on room summary update ([\#11488](matrix-org/matrix-react-sdk#11488)).
 * Support for E2EE in Element Call  ([\#11492](matrix-org/matrix-react-sdk#11492)).
 * Allow requesting to join knock rooms via spotlight ([\#11482](matrix-org/matrix-react-sdk#11482)). Contributed by @charlynguyen.
 * Lock out the first tab if Element is opened in a second tab. ([\#11425](matrix-org/matrix-react-sdk#11425)). Fixes #25157.
 * Change avatar to use Compound implementation ([\#11448](matrix-org/matrix-react-sdk#11448)).

## 🐛 Bug Fixes
 * Fix vertical alignment of default avatar font ([\#11582](matrix-org/matrix-react-sdk#11582)). Fixes #26081.
 * Fix avatars in public room & space search being flex shrunk ([\#11580](matrix-org/matrix-react-sdk#11580)). Fixes #26133.
 * Fix EventTile avatars being rendered with a size of 0 instead of hidden ([\#11558](matrix-org/matrix-react-sdk#11558)). Fixes #26075.
 * Fix compound external assets path in bundle ([\#26069](element-hq/element-web#26069)).
 * Use RoomStateEvent.Update for knocks ([\#11516](matrix-org/matrix-react-sdk#11516)). Contributed by @charlynguyen.
 * Prevent event propagation when clicking icon buttons ([\#11515](matrix-org/matrix-react-sdk#11515)).
 * Only display RoomKnocksBar when feature flag is enabled ([\#11513](matrix-org/matrix-react-sdk#11513)). Contributed by @andybalaam.
 * Fix avatars of knock members for people tab of room settings ([\#11506](matrix-org/matrix-react-sdk#11506)). Fixes #26083. Contributed by @charlynguyen.
 * Fixes read receipt avatar offset ([\#11483](matrix-org/matrix-react-sdk#11483)). Fixes #26067, #26064 #26059 and #26061.
 * Fix avatar defects ([\#11473](matrix-org/matrix-react-sdk#11473)). Fixes #26051 and #26046.
 * Fix consistent avatar output for Percy ([\#11472](matrix-org/matrix-react-sdk#11472)). Fixes #26049 and #26052.
 * Fix colour of avatar and colour matching with username ([\#11470](matrix-org/matrix-react-sdk#11470)). Fixes #26042.
 * Fix incompatibility of Soft Logout with Element-R ([\#11468](matrix-org/matrix-react-sdk#11468)).
 * Fix instances of double translation and guard translation calls using typescript ([\#11443](matrix-org/matrix-react-sdk#11443)).
estellecomment added a commit to tchapgouv/tchap-web-v4 that referenced this pull request Oct 9, 2023
…xed, not tried running yet

* Make video & voice call buttons pin conference widget if unpinned ([\#11576](matrix-org/matrix-react-sdk#11576)). Fixes vector-im/customer-retainer#72.
* OIDC: persist refresh token ([\#11249](matrix-org/matrix-react-sdk#11249)). Contributed by @kerryarchibald.
* ElementR: Cross user verification ([\#11364](matrix-org/matrix-react-sdk#11364)). Fixes #25752. Contributed by @florianduros.
* Default intentional mentions ([\#11602](matrix-org/matrix-react-sdk#11602)).
* Notify users about denied access on ask-to-join  rooms ([\#11480](matrix-org/matrix-react-sdk#11480)). Contributed by @nurjinjafar.
* Allow setting knock room directory visibility ([\#11529](matrix-org/matrix-react-sdk#11529)). Contributed by @charlynguyen.
* Revert "Fix regression around FacePile with overflow (#11527)" ([\#11634](matrix-org/matrix-react-sdk#11634)). Fixes #26209.
* Escape placeholder before injecting it into the style ([\#11607](matrix-org/matrix-react-sdk#11607)).
* Move ViewUser action callback to RoomView ([\#11495](matrix-org/matrix-react-sdk#11495)). Fixes #26040.
* Fix room timeline search toggling behaviour edge case ([\#11605](matrix-org/matrix-react-sdk#11605)). Fixes #26105.
* Avoid rendering view-message link in RoomKnocksBar unnecessarily ([\#11598](matrix-org/matrix-react-sdk#11598)). Contributed by @charlynguyen.
* Use knock rooms sync to reflect the knock state ([\#11596](matrix-org/matrix-react-sdk#11596)). Fixes #26043 and #26044. Contributed by @charlynguyen.
* Fix avatar in right panel not using the correct font ([\#11593](matrix-org/matrix-react-sdk#11593)). Fixes #26061. Contributed by @MidhunSureshR.
* Add waits in Spotlight Cypress tests, hoping this unflakes them ([\#11590](matrix-org/matrix-react-sdk#11590)). Fixes #26053, #26140 #26139 and #26138. Contributed by @andybalaam.
* Fix vertical alignment of default avatar font ([\#11582](matrix-org/matrix-react-sdk#11582)). Fixes #26081.
* Fix avatars in public room & space search being flex shrunk ([\#11580](matrix-org/matrix-react-sdk#11580)). Fixes #26133.
* Fix EventTile avatars being rendered with a size of 0 instead of hidden ([\#11558](matrix-org/matrix-react-sdk#11558)). Fixes #26075.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
T-Defect Bugs, crashes, hangs, vulnerabilities, or other reported problems
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants