Drop .textContent IE8 polyfill and rewrite escaping tests against public API

[jeremenichelli]

I want to put some explanation about this test rewrite since I think the outcome might not be what was intended in #11299

escapeTextContentForBrowser is used in client/setTextContent.js only when textContent is not supported for DOM elements, which only happens in IE8 (caniuse.com reference http://caniuse.com/#feat=textcontent) a browser version that is no longer supported (https://reactjs.org/blog/2016/01/12/discontinuing-ie8-support.html).

To actually move this test to run over ReactDOM.render and React.createElement it would be necessary to mock up the entire global.document object, assign null to document.documentElement.textContent, require React packages and then test this util through React element rendering. If authors and contributors think this should be the way to go I can start working again on this approach.

Considering that this part of the code might not be running anywhere today in React web applications, my suggestion would be to not add this heavy lifting on the tests, reconsider modifying these tests by merging the changes I've made and actually start thinking about removing escapeTextContentForBrowser from the codebase.

Since the support was dropped almost two years ago and we should start considering removing IE8 code.

Looking forward to read others take on this :)

[syranide]

var testElement = document.createElement('div');
testElement.innerHTML = escapeTextContentForBrowser('&');
expect(testElement.innerHTML).toEqual('&');

Does not actually test escapeTextContentForBrowser for correct behavior. It would pass even if you just did testElement.innerHTML = '&';, which is clearly broken.

If you want to test this in-terms of the public API I'm guessing it would be a better idea to do something along the lines of

React.render(<div>{'&amp;'}</div>, target);
target.firstChild.textContent === '&amp;';

[jeremenichelli]

@syranide true that, as I described above the function I'm trying to test only runs in IE8, which could mean it's not used at all today in production.

My best bet is to work again on this PR, mock up the global.document object to mimic the inexistance of the textContent property in elements.

[syranide]

@jeremenichelli I'm pretty sure it's used for SSR too, which I'm guessing would be the actual way to test this (my code doesn't actually test it I realize 😄). It should be used for SSR at least.

[jeremenichelli]

Ah that's a good catch @syranide, I don't know how SSR works in React to be honest, but if it passes the ExecutionEnvironment.canUseDOM condition and 'textContent' in document.documentElementis false there too, then it will get called for sure.

I'm travelling to Buenos Aires for NodeConfAR now, so updates on this PR will have to wait til next week.

[gaearon]

If you're confident something is only used in IE8, let's change this PR to delete that instead.

[jeremenichelli]

@gaearon I'm 100% sure this only applies in IE8 cases (which implemented innerText instead of textContent), here's a list of references which support the statement:

• https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent
• https://quirksmode.org/dom/html/
• https://caniuse.com/#feat=textcontent

The only thing I need to know is if this condition passes while server side rendering:

react/packages/react-dom/src/client/setTextContent.js

Line 43 in 087c48b

if (!('textContent' in document.documentElement)) {

If other contributors or users make sure SSRR doesn't need this, I will go on that path for sure.

[gaearon]

The only thing I need to know is if this condition passes while server side rendering:

SSR doesn't need this.

[jeremenichelli]

After some investigation, I noticed that escapeTextContentForBrowser is being used by the ReactPartialRenderer module from the server section of the package.

Also it's used by quoteAttributeValueForBrowser, for server rendering apparently.

Ideally the new roadmap would be to delete the textContent check in the client side since it's only there for IE8 as clarified before. Move the code to the shared folder and rename it escapeText since it's not used in the browser and it isn't applied in the text content situation itself, this will make the use of the code more clear.

We can re-check if the server tests satisfies the approach for quoted attributes and open a new issue.

Let me know if you agree with this new direction.

[gaearon]

Sounds reasonable to me.

[jeremenichelli]

Just updated this PR. I want to clarify the changes first.

• I've renamed escapeTextContentForBrowser to escapeText since it's just a util used by quoteAttributeValueForBrowser which is only used for server rendering.
• I've moved tests on ReactServerRendering-test.js related to attribute value escaping.
• On quoteAttributeValueforBrowser-test.js I'm testing directly through ReactDOMServer API to check if attribute values are correctly escaped.

A final note is that while doing this I didn't noticed tests for quoteAttributeValueForBrowser file were taken by @andrevargas in the original thread, and I think it would be the right thing to let him know if it's OK to merge this (after review approval) or if he first wants to show his PR to the team; and if the team prefers to merge his that I'll be totally fine with it. People before code 💟

[syranide]

I've renamed escapeTextContentForBrowser to escapeText since it's just a util used by quoteAttributeValueForBrowser which is only used for server rendering.

IMHO, that seems like a bad idea. There are many different ways to escape text/strings for the DOM, this is just one of them. At best it's confusing, at worst someone may use it to escape something they shouldn't (CSS, etc). EDIT: Although since it's being used for quoteAttributeValueForBrowser, the name of this function should at least exclude Content from TextContent, because TextContent implies it's only safe to use for textContent (which does not inherently make it safe for quoted attribute values).

Also, I don't understand how it can only be used by quoteAttributeValueForBrowser, how does the server-side escape inline text if not with this function?

@gaearon I'm also not sure why the current implementation is there, we had a far simpler and faster one "a long time ago"?

Unrelated but the description of escapeHtml is hilariously bad, "Escape special characters in the given string of html.".

[andrevargas]

Hey, thanks for letting me know about this, @jeremenichelli! I haven't figured out how exactly to test quoteAttributeValueforBrowser-test.js until now, and that's why I haven't sent any PR yet.

I didn't realize I could use ReactDOMServer API. Now I've taken a look at your PR and your tests for quoteAttributeValueForBrowser seem to be very reasonable.

It's awesome that you have done it! It's OK to merge this if approved, I'll be totally fine with it too! 👍
I just want to keep an eye on this PR, and let me know if I can help you with something. Again, thank you for caring about my efforts.

[jeremenichelli]

Thanks @andrevargas 💛

@syranide do you agree with changing the name to escapeStringForBrowser and improving description on escapeHtml method?

[gaearon]

@syranide Do you plan to continue reviewing this PR?

[jeremenichelli]

@syranide @gaearon to proceed I need to know if we agree on escapeStringForBrowser name, improving escapeHtml description, and maybe re-add direct escapeStringForBrowser tests (no through APIs) or through ReactDOMServer.

[syranide]

@gaearon Sorry, no time this week (full-day business meetings) and I'm not really on-top of your internal guidelines well enough to suggest something more than what I've already done I feel. My intention was just to add what I know/felt was missing seeing as I've touched this code before.

@syranide do you agree with changing the name to escapeStringForBrowser and improving description on escapeHtml method?

Sure. The implementation of escapeHtml seems outside the scope of this PR though (and the name itself is bad too, also no one will ever read that description 😄).

[jeremenichelli]

@syranide well it's a small gardening, and it wouldn't harm the PR talk if we agree on one ahead of new commits. How about escapeHtmlEntities?

[gaearon]

I'm not really on-top of your internal guidelines well enough to suggest something more than what I've already done I feel

We're pretty separate from any internal guidelines by now. I fully trust your intuition here. :-)

That said totally understand if you can't find the time. I'll try to dig in next week.

[syranide]

That said totally understand if you can't find the time. I'll try to dig in next week.

@gaearon Just unusually busy this week, should have time this weekend :)

[gaearon]

We can. Just embed it here :-)

[jeremenichelli]

Lol, forgot to take it out.

[gaearon]

Which of the new tests verifies this?

[gaearon]

Same question.

[gaearon]

Please add a test where this is literally the argument value.

[jeremenichelli]

@gaearon I'm thinking of creating tests for escapeText through the ReactDOMServer.renderToString API like these ones, do you think that it would make sense to write them? Also, if you do, shouldn't this test be placed there where the script would actually run?

[gaearon]

I'm thinking of creating tests for escapeText thourgh the ReactDOMServer.renderToString API like these ones

Sounds goood.

Also, if you do, shouldn't this test be placed there where the script would actually run?

Not sure what you mean. We just want to verify <script> can't be injected as attribute value.

[jeremenichelli]

Great, will add test on both escapeText and quoteAttribute tests.

[gaearon]

See above comments: let's make sure there is a corresponding test for each case we used to test before.

[jeremenichelli]

@gaearon from here, tests for number, object and script tags on attributes have been added back. Above tests for text content in nodes contemplate these cases too, let me know if you ahve any more concerns or something that I might have missed.

[gaearon]

So, the nice thing about these old tests is they didn't assert how we escape, only that we do escape. Which opens the door for changing that in the future.

Maybe it's not too important though.

[jeremenichelli]

What I didn't like form this test is that thy are just testing a switch JavaScript statement by doing it directly from the module. These internal modules pass thourgh other checks and algorithms when applied, so someone could modify that code, prevent the script to actually escape the characters and test would still pass, something that won't happen now 😃

[gaearon]

Maybe an ideal test would actually create a DOM node, put content into innerHTML and then assert that it only has a text node child with expected content?

[jeremenichelli]

Yeah, that could be one way. Though werid since this is used only on the server package, maybe adding cases from renderToStaticMarkup would be valuable.

[gaearon]

Though werid since this is used only on the server package

Not sure what you mean. The end goal of rendering to a string is that the HTML shows up in somebody's browser :-) This is exactly what an integration test should verify: that what shows up in the browser would have been consistent with what we expect (as opposed to a dangerous script tag).

[jeremenichelli]

I understood it better after writing my response but didn't want to edit it.

Yeah I guess that would mimic the text string from server to node conversion better than just testing the string. Let me know if you are planning on migrating to that. I might think about revisiting these tests in the future if necessary.

[gaearon]

If you'd like to send a PR for this, happy to review. I'm not 100% sure it's the right approach but it seems to make sense to me.