feat: be more like jsdom (when jsdom throws error if element name or attr name is invlaid - we ignore invalid chars) (NOTE: we could just use he npm package to escape all, no ignoring/cleaning)

Author: srghma

src/Halogen/VDom/DOM/StringRenderer.purs

@@ -10,7 +10,7 @@ import Data.Number.Format as Data.Number.Format
 import Data.String as S
 import Data.Set as Set
 import Halogen.VDom.StringRenderer as VSR
-import Halogen.VDom.StringRenderer.Util (escape)
+import Halogen.VDom.StringRenderer.Util (escapeAttributeValue, escapeHtmlEntity)
 import Unsafe.Coerce (unsafeCoerce)
 
 render ∷ ∀ i w. (w → String) → VDom (Array (Prop i)) w → String
@@ -32,7 +32,7 @@ renderProp = case _ of
   Ref _ → Nothing
 
 renderAttr ∷ String → String → Maybe String
-renderAttr name value = Just $ escape name <> "=\"" <> value <> "\""
+renderAttr name value = Just $ escapeHtmlEntity name <> "=\"" <> escapeAttributeValue value <> "\""
 
 propNameToAttrName ∷ String → String
 propNameToAttrName = case _ of
@@ -44,12 +44,11 @@ propNameToAttrName = case _ of
 
 renderProperty ∷ String → PropValue → Maybe String
 renderProperty name prop = case typeOf (unsafeToForeign prop) of
-  "string"  → renderAttr name' $ (unsafeCoerce ∷ PropValue → String) prop
-  "number"  → renderAttr name' $ Data.Number.Format.toString ((unsafeCoerce ∷ PropValue → Number) prop)
+  "string" → renderAttr name' $ (unsafeCoerce ∷ PropValue → String) prop
+  "number" → renderAttr name' $ Data.Number.Format.toString ((unsafeCoerce ∷ PropValue → Number) prop)
   "boolean" →
-    if ((unsafeCoerce :: PropValue -> Boolean) prop)
-      then Just $ escape name'
-      else Nothing
+    if ((unsafeCoerce :: PropValue -> Boolean) prop) then Just $ escapeHtmlEntity name'
+    else Nothing
   _ → Nothing
   where
   name' = propNameToAttrName name

src/Halogen/VDom/StringRenderer.purs

@@ -9,9 +9,8 @@ import Data.Array as A
 import Data.Maybe (Maybe, maybe)
 import Data.String as S
 import Data.Tuple (snd)
-
 import Halogen.VDom (VDom(..), ElemName(..), Namespace(..), runGraft)
-import Halogen.VDom.StringRenderer.Util (escape)
+import Halogen.VDom.StringRenderer.Util (cleanAndEscapeTextNode, cleanNonXnvName, escapeHtmlEntity)
 
 -- | Type used to determine whether an element can be rendered as self-closing
 -- | element, for example, "<br/>".
@@ -35,7 +34,7 @@ render getTagType renderAttrs renderWidget = go
   where
   go ∷ VDom attrs widget → String
   go = case _ of
-    Text s → escape s
+    Text s → cleanAndEscapeTextNode s
     Elem namespace elementName attrs children → renderElement namespace elementName attrs children
     Keyed namespace elementName attrs kchildren → renderElement namespace elementName attrs (map snd kchildren)
     Widget widget → renderWidget widget
@@ -45,9 +44,9 @@ render getTagType renderAttrs renderWidget = go
   renderElement maybeNamespace elemName@(ElemName name) attrs children =
     let
       as = renderAttrs attrs
-      as' = maybe as (\(Namespace ns) -> "xmlns=\"" <> escape ns <> "\"" <> if S.null as then "" else " " <> as) maybeNamespace
+      as' = maybe as (\(Namespace ns) -> "xmlns=\"" <> escapeHtmlEntity ns <> "\"" <> if S.null as then "" else " " <> as) maybeNamespace
+      name' = cleanNonXnvName name
     in
-      "<" <> name <> (if S.null as' then "" else " ") <> as' <>
-        if A.null children
-        then if getTagType elemName == SelfClosingTag then "/>" else "></" <> name <> ">"
-        else ">" <> S.joinWith "" (map go children) <> "</" <> name <> ">"
+      "<" <> name' <> (if S.null as' then "" else " ") <> as' <>
+        if A.null children then if getTagType elemName == SelfClosingTag then "/>" else "></" <> name' <> ">"
+        else ">" <> S.joinWith "" (map go children) <> "</" <> name' <> ">"

src/Halogen/VDom/StringRenderer/Util.purs

@@ -1,22 +1,76 @@
-module Halogen.VDom.StringRenderer.Util (escape) where
+module Halogen.VDom.StringRenderer.Util where
 
 import Prelude
-import Data.String.Regex (Regex, replace')
-import Data.String.Regex.Flags (global)
+
+import Data.String.Regex (Regex, replace', replace)
+import Data.String.Regex.Flags (global, unicode)
 import Data.String.Regex.Unsafe (unsafeRegex)
 
-escapeRegex ∷ Regex
-escapeRegex = unsafeRegex "[\\\"\\\'/&<>]" global
-
-escapeChar ∷ String → String
-escapeChar = case _ of
-  "\"" → "&quot;"
-  "'"  → "&#39;"
-  "/"  → "&#x2F;"
-  "&"  → "&amp;"
-  "<"  → "&lt;"
-  ">"  → "&gt;"
-  ch   → ch
-
-escape ∷ String → String
-escape = replace' escapeRegex (const <<< escapeChar)
+-- TODO: use https://github.com/mathiasbynens/he ?
+escapeHtmlEntity ∷ String → String
+escapeHtmlEntity = replace' escapeRegex (const <<< escapeChar)
+  where
+  escapeRegex ∷ Regex
+  escapeRegex = unsafeRegex """[&"'<>\t\n\r\/]""" global
+
+  escapeChar ∷ String → String
+  escapeChar = case _ of
+    "&" -> "&amp;"
+    "\"" -> "&quot;"
+    "'" → "&#39;"
+    "<" -> "&lt;"
+    ">" -> "&gt;"
+    "\t" -> "&#x9;"
+    "\n" -> "&#xA;"
+    "\r" -> "&#xD;"
+    "/" → "&#x2F;"
+    ch → ch
+
+-- just like https://github.com/jsdom/w3c-xmlserializer/blob/83115f8ecce8ed77a2a907c74407b2c671751463/lib/attributes.js#L24
+-- NOTE: it will not escape / in https://mywebsite.com (check this test https://github.com/jsdom/w3c-xmlserializer/blob/83115f8ecce8ed77a2a907c74407b2c671751463/test/test.js#L58-L70)
+escapeAttributeValue ∷ String → String
+escapeAttributeValue = replace' escapeRegex (const <<< escapeChar)
+  where
+  escapeRegex ∷ Regex
+  escapeRegex = unsafeRegex """[&"<>\t\n\r]""" (global <> unicode)
+
+  escapeChar ∷ String → String
+  escapeChar = case _ of
+    "&" -> "&amp;"
+    "\"" -> "&quot;"
+    "<" -> "&lt;"
+    ">" -> "&gt;"
+    "\t" -> "&#x9;"
+    "\n" -> "&#xA;"
+    "\r" -> "&#xD;"
+    ch → ch
+
+-- just like https://github.com/jsdom/xml-name-validator/blob/836f307eec81279d2b1655587892e38a1effe039/lib/xml-name-validator.js#L4
+-- but will just remove all chars that are not `name`
+--
+-- Where we use it in `<my-element my-attr="my-attr-value"></my-element>`? We use it to clean `my-element` and `my-attr`.
+-- Just like w3c-xmlserializer does for element names (https://github.com/jsdom/w3c-xmlserializer/blob/83115f8ecce8ed77a2a907c74407b2c671751463/lib/serialize.js#L178) and attribute names (https://github.com/jsdom/w3c-xmlserializer/blob/83115f8ecce8ed77a2a907c74407b2c671751463/lib/attributes.js#L112).
+cleanNonXnvName ∷ String → String
+cleanNonXnvName = replace invalidCharsRegex ""
+  where
+  invalidCharsRegex = unsafeRegex """[^[:A-Z_a-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\u{10000}-\u{EFFFF}\-.0-9\u00B7\u0300-\u036F\u203F-\u2040]""" (global <> unicode)
+
+-- just like https://github.com/jsdom/w3c-xmlserializer/blob/83115f8ecce8ed77a2a907c74407b2c671751463/lib/serialize.js#L155
+-- removes all non XML_CHAR characters and changes escapes &<>
+cleanAndEscapeTextNode ∷ String → String
+cleanAndEscapeTextNode = replace' escapeRegex (const <<< escapeChar) <<< cleanInvalidChars
+  where
+  cleanInvalidChars :: String -> String
+  cleanInvalidChars = replace invalidCharsRegex ""
+    where
+    invalidCharsRegex = unsafeRegex """[^\x09\x0A\x0D\x20-\uD7FF\uE000-\uFFFD\u{10000}-\u{10FFFF}]""" (global <> unicode)
+
+  escapeRegex ∷ Regex
+  escapeRegex = unsafeRegex "[&<>]" global
+
+  escapeChar ∷ String → String
+  escapeChar = case _ of
+    "&" → "&amp;"
+    "<" → "&lt;"
+    ">" → "&gt;"
+    ch → ch

test/Test/Main.purs

@@ -0,0 +1,116 @@
+module Test.Main where
+
+import Prelude
+
+import Data.Maybe (Maybe(..))
+import Data.Tuple (Tuple)
+import Data.Tuple.Nested ((/\))
+import Effect (Effect)
+import Halogen.VDom (VDom, ElemName(..))
+import Halogen.VDom as V
+import Halogen.VDom.DOM.Prop (Prop(..), PropValue, propFromBoolean, propFromInt, propFromNumber, propFromString)
+import Halogen.VDom.DOM.StringRenderer (render)
+import Test.Spec (describe, it)
+import Test.Spec.Assertions (shouldEqual)
+import Test.Spec.Reporter (consoleReporter)
+import Test.Spec.Runner.Node (runSpecAndExitProcess)
+import Unsafe.Coerce (unsafeCoerce)
+
+attr ∷ ∀ a. String → String → Prop a
+attr key value = Attribute Nothing key value
+
+class IsPropValue v where
+  toPropValue :: v -> PropValue
+
+instance isPropValueString :: IsPropValue String where
+  toPropValue = propFromString
+
+instance isPropValueBoolean :: IsPropValue Boolean where
+  toPropValue = propFromBoolean
+
+instance isPropValueInt :: IsPropValue Int where
+  toPropValue = propFromInt
+
+instance isPropValueNumber :: IsPropValue Number where
+  toPropValue = propFromNumber
+
+prop :: forall a v. IsPropValue v => String -> v -> Prop a
+prop key value = Property key (toPropValue value)
+
+infixr 1 attr as :=
+infixr 1 prop as .=
+
+elem ∷ ∀ a. String → Array (Prop a) → Array (VDom (Array (Prop a)) a) → VDom (Array (Prop a)) a
+elem n a c = V.Elem Nothing (ElemName n) a (unsafeCoerce c)
+
+keyed ∷ ∀ a. String → Array (Prop a) → Array (Tuple String (VDom (Array (Prop a)) a)) → VDom (Array (Prop a)) a
+keyed n a c = V.Keyed Nothing (ElemName n) a (unsafeCoerce c)
+
+text ∷ ∀ a. String → VDom (Array (Prop Void)) a
+text a = V.Text a
+
+main ∷ Effect Unit
+main = runSpecAndExitProcess [ consoleReporter ] do
+  it "works" do
+    let
+      html ∷ VDom (Array (Prop Void)) Void
+      html =
+        elem "div" [ "className" .= "container", "id" := "root" ]
+          [ elem "label" [ "htmlFor" .= "username" ]
+              [ text "Username" ]
+          , elem "input" [ "id" := "input" ] []
+          , elem "a" [ "href" := "index" ] [ text "Inbox" ]
+          , keyed "div" []
+              [ "0" /\ elem "span" [] [ text "0" ]
+              , "1" /\ elem "span" [] [ text "1" ]
+              ]
+          ]
+    render absurd html `shouldEqual` """<div class="container" id="root"><label for="username">Username</label><input id="input"/><a href="index">Inbox</a><div><span>0</span><span>1</span></div></div>"""
+  it "should not escape links in prop attrs" do
+    let
+      html ∷ VDom (Array (Prop Void)) Void
+      html =
+        elem "script"
+          [ "async" := ""
+          , "type" := "application/javascript"
+          , "src" := "chunks/defaultVendors~main-063769ad5d827b791041.js"
+          ]
+          []
+    render absurd html `shouldEqual` """<script async="" type="application/javascript" src="chunks/defaultVendors~main-063769ad5d827b791041.js"></script>"""
+  it "but should escape links prop names" do
+    let
+      html ∷ VDom (Array (Prop Void)) Void
+      html =
+        elem "script"
+          [ "application/javascript" := "type"
+          , "chunks/defaultVendors~main-063769ad5d827b791041.js" := "src"
+          ]
+          []
+    render absurd html `shouldEqual` """<script application&#x2F;javascript="type" chunks&#x2F;defaultVendors~main-063769ad5d827b791041.js="src"></script>"""
+  it "but should render int, boolean, number props" do
+    let
+      html ∷ VDom (Array (Prop Void)) Void
+      html =
+        elem "input"
+          [ "maxLength" .= 255 -- Int
+          , "step" .= 0.5 -- Number
+          , "disabled" .= true -- Boolean
+          , "readonly" .= false -- Boolean
+          ]
+          []
+    render absurd html `shouldEqual` """<input maxLength="255" step="0.5" disabled/>"""
+  describe "escape chars" do
+    let
+      mkElem char = elem ("div" <> char <> "test") [ "attr" <> char <> "key" := "attr" <> char <> "val", "prop" <> char <> "key" .= "prop" <> char <> "val" ] []
+      mkTest char expected = it char $ render absurd (mkElem char) `shouldEqual` expected
+
+    mkTest "\"" """<divtest attr&quot;key="attr&quot;val" prop&quot;key="prop&quot;val"></divtest>"""
+    mkTest "'" """<divtest attr&#39;key="attr'val" prop&#39;key="prop'val"></divtest>"""
+    mkTest "/" """<divtest attr&#x2F;key="attr/val" prop&#x2F;key="prop/val"></divtest>"""
+    mkTest "\\" """<divtest attr\key="attr\val" prop\key="prop\val"></divtest>"""
+    mkTest "`" """<divtest attr`key="attr`val" prop`key="prop`val"></divtest>"""
+    mkTest "?" """<divtest attr?key="attr?val" prop?key="prop?val"></divtest>"""
+    mkTest "!" """<divtest attr!key="attr!val" prop!key="prop!val"></divtest>"""
+    mkTest "@" """<divtest attr@key="attr@val" prop@key="prop@val"></divtest>"""
+    mkTest "#" """<divtest attr#key="attr#val" prop#key="prop#val"></divtest>"""
+    mkTest "$" """<divtest attr$key="attr$val" prop$key="prop$val"></divtest>"""