-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: v2 framework rewrite #6903
base: main
Are you sure you want to change the base?
Conversation
* test(v2): add some svg tests * fix lint * fix conditional rendering
* test(v2): test for #2688 issue * Fixup: make test fail in same way as e2e * WIP: test green or skip --------- Co-authored-by: Miško Hevery <[email protected]>
* cleanup * change node prop updating * fix some use-visible-task tests * update node prop review changes Co-authored-by: Wout Mertens <[email protected]>
* TODO - instanceof DerivedSignal to remove all _IMMUTABLE stuff - jsxnode proxy: - _IMMUTABLE -> _CONST_PROPS - _VAR_PROPS - remove _wrapSignal etc Co-authored-by: Varixo <[email protected]> * varProps constProps WIPWIPWIP * fix serialization --------- Co-authored-by: Varixo <[email protected]>
add a version override so the API extractor uses it too
…o be eagerly resolved.
* fix(v2): fix boolean and number attributes * fix(v2): fix boolean and number attributes
* test(v2): add test for rendering text node between nodes * fix failing test
…update Bumps the npm_and_yarn group with 1 update in the / directory: [express](https://github.com/expressjs/express). Bumps the npm_and_yarn group with 1 update in the /starters/adapters/express directory: [express](https://github.com/expressjs/express). Updates `express` from 4.19.2 to 4.20.0 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](expressjs/express@4.19.2...4.20.0) Updates `express` from 4.19.2 to 4.20.0 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](expressjs/express@4.19.2...4.20.0) --- updated-dependencies: - dependency-name: express dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: express dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: wuls <[email protected]>
hashes can have _ in them
Co-authored-by: Wout Mertens <[email protected]> Co-authored-by: Giorgio Boa <[email protected]>
chore(v2): Merge main
undefined
} | ||
errorDiv.setAttribute('q:key', '_error_'); | ||
const journal: VNodeJournal = []; | ||
vnode_getDOMChildNodes(journal, vHost).forEach((child) => errorDiv.appendChild(child)); |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
DOM text
DOM text
} else if (key === 'value' && key in element) { | ||
(element as any).value = escapeHTML(String(value)); | ||
} else if (key === dangerouslySetInnerHTML) { | ||
(element as any).innerHTML = value!; |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
DOM text
DOM text
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 1 day ago
To fix the issue, we need to ensure that any content assigned to innerHTML
is properly escaped to prevent XSS. We can use a utility function like escapeHTML
to escape the content before setting it as innerHTML
.
- Identify the line where
innerHTML
is set with potentially unsafe content. - Use the
escapeHTML
function to sanitize the content before assigning it toinnerHTML
.
-
Copy modified line R900
@@ -899,3 +899,3 @@ | ||
} else if (key === dangerouslySetInnerHTML) { | ||
(element as any).innerHTML = value!; | ||
(element as any).innerHTML = escapeHTML(String(value!)); | ||
} else { |
const insertBefore = journal[idx++] as Element | Text | null; | ||
let newChild: any; | ||
while (idx < length && typeof (newChild = journal[idx]) !== 'number') { | ||
insertParent.insertBefore(newChild, insertBefore); |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
DOM text
DOM text
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 1 day ago
To fix the problem, we need to ensure that any data inserted into the DOM is properly sanitized or escaped to prevent XSS vulnerabilities. Specifically, we should escape any HTML special characters in the newChild
variable before inserting it into the DOM.
- Use a utility function to escape HTML special characters.
- Apply this escaping function to the
newChild
variable before it is inserted into the DOM.
-
Copy modified line R930
@@ -929,3 +929,3 @@ | ||
while (idx < length && typeof (newChild = journal[idx]) !== 'number') { | ||
insertParent.insertBefore(newChild, insertBefore); | ||
insertParent.insertBefore(document.createTextNode(escapeHTML(newChild)), insertBefore); | ||
idx++; |
* fix some signal deserialization * fix vnode serialize * fix store * resource working * fix(ssr): await close container * Date: support invalid+use shorter epoch time * add setter for deserialized object * add test for setting a value * fix qrl scope deduping * fix(nix): playwright running --------- Co-authored-by: Varixo <[email protected]>
…e checking (#6939) * reduce subscription count * do not use regex for attribute security check
This PR is for showing progress on v2, and having installable npm packages.
The changes are meant to be readable and maintainable, so if things are unclear please let us know.