Improve card header word breaks #628
Conversation
|
|
||
| // Break the string at natural points, including commas, equals, and slashes | ||
| _breakString: function(originalString) { | ||
| return originalString.replace(/([\/=\-_,])/g, "$1<wbr>"); |
There was a problem hiding this comment.
This could be a security risk. See this. Also:
import HtmlSanitizer from 'goog:goog.html.sanitizer.HtmlSanitizer';HtmlSanitizer.sanitize(...)@io_bazel_rules_closure//closure/library.
There was a problem hiding this comment.
Yeah, you're right... should have thought more about that, this was just code I copy-pasted from tf-runs-selector.html as introduced in 3113df4, but I did think the innerHtml "workaround" was a bit funny.
There are a few other places using the innerHtml stuff that seem like they could also be problematic, e.g. here there's a homegrown HTML sanitizer function that while perhaps sufficient for that case would be better off sticking to HtmlSanitizer so nobody copies it into a place where it's inappropriate:
I can do a separate PR to fix all those spots to use HtmlSanitizer and then come back and update this one.
| @@ -168,6 +171,11 @@ | |||
| this.$.descriptionDialog.positionTarget = e.target; | |||
| this.$.descriptionDialog.toggle(); | |||
| }, | |||
|
|
|||
| // Break the string at natural points, including commas, equals, and slashes | |||
There was a problem hiding this comment.
Why equals? They might be used to encode hyper parameters. If I have a run name like learning_rate=0.1,filters=64,batch_size=100 then it would be nice if made an attempt to show me one association per line.
There was a problem hiding this comment.
I just copied the same set of characters used for run breaking in tf-runs-selector.html, since it seemed like it was worth having the same behavior. If you like I can restrict one or both to not break on equals signs though.
| @@ -62,7 +62,10 @@ | |||
| <template is="dom-if" if="[[_tagLabel]]"> | |||
| <div class="heading-row"> | |||
| <div class="heading-label"> | |||
| tag: <span itemprop="tag">[[_tagLabel]]</span> | |||
| tag: <div | |||
| itemprop="tag" | |||
There was a problem hiding this comment.
Why not run too? Possibly also do name as well.
There was a problem hiding this comment.
Run was just an oversight because it's not in the scalars plugin card headers. I'll redo some test data with one of the plugins that does show runs in the headers and add this behavior to run as well.
Re: name, that didn't seem as useful since custom display names can easily have spaces in them (and it'd be a little weird to break mid-word when there are space breaks available, IMO - unlike a book we're not trying to justify text to fill a column). We could potentially insert <wbr> only for display names that don't already have whitespace, but overall this seems less important than the run or the tag because 1) human-choosen names will tend to be short and 2) automatic names are based only on the node name without any enclosing namespaces, so they'll also tend to be much shorter than the tag name (or run name).
jart
changed the title
|
It would be fabulous if you found all the other inner html type issues in a
separate PR since we're going to need it all to be air tight when we make
TensorBoard a service.
…On Oct 5, 2017 6:14 PM, "Nick Felt" ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In tensorboard/components/tf_card_heading/tf-card-heading.html
<#628 (comment)>
:
> @@ -62,7 +62,10 @@
<template is="dom-if" if="[[_tagLabel]]">
<div class="heading-row">
<div class="heading-label">
- tag: <span itemprop="tag">[[_tagLabel]]</span>
+ tag: <div
+ itemprop="tag"
Run was just an oversight because it's not in the scalars plugin card
headers. I'll redo some test data with one of the plugins that does show
runs in the headers and add this behavior to run as well.
Re: name, that didn't seem as useful since custom display names can easily
have spaces in them (and it'd be a little weird to break mid-word when
there are space breaks available, IMO - unlike a book we're not trying to
justify text to fill a column). We could potentially insert <wbr> only
for display names that don't already have whitespace, but overall this
seems less important than the run or the tag because 1) human-choosen names
will tend to be short and 2) automatic names are based only on the node
name without any enclosing namespaces, so they'll also tend to be much
shorter than the tag name (or run name).
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub
<#628 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AADAbpZrGEhqWhlHY9HXWV6MDE1FP1Iqks5spX8DgaJpZM4PvyV9>
.
|
|
I'm not sure that The purpose of
By contrast, we really just want to embed a plain-text string into HTML: escape or quote would be a better term than sanitize. For that purpose, all that you need to do is replace We can definitely still have a standard Alternatively, if you can find a suitable closure-library function that does the right thing, I'd be very happy with that, too! |
|
@wchargin Good point. I was assuming HtmlSanitizer could be configured to have a tag whitelist of just One question: I was contemplating making a polymer element for a |
Not unreasonable, but there's still a difference: a run called "
Semantically, this is—in my opinion—entirely reasonable. If I were writing the code, though, I probably wouldn't write such a component: defining new components in Polymer feels extremely clunky to me, so that components are "heavyweight" instead of "lightweight," and it's not clear to me that this component pulls its weight. By that I mean: for a Polymer component, you need your own file, some DOM-module and import boilerplate, a script tag where you declare some properties, a computed property for the escaped text, and then a template with the implementation. (Contrast something like React, where the entire component is literally Note that I'm not asking that you not implement it, just letting you know where I'm coming from. One question: does it make sense to have the same component handle
We're trying to get rid of |
|
The polymer component approach is a little more heavyweight, but the appeal to me was that then we can encapsulate the somewhat messy business of setting Also, the interplay of word-breaking and escaping is also a little subtle; you can't escape after breakWords() since then you'd escape Re: |
|
Ah yes, sanitization is somewhat different from entity escaping. If Polymer has a way to properly address the XSS concern without needing Closure Library, then that might be better. Regarding the |
|
Will close this PR since we have #1602 for now. |
Insert tags into the tag names used in card headers, so that in the case of long tag names, they will break more gracefully at word boundaries.
Before:
After:
Note that incidentally this also seems to address a bug where the long unbroken tag name pushed the containing div out too far, and bumped the "show description" circled-i icon out of view, making it inaccessible. The bug is not 100% fixed because in the case of a tag name which has an unbreakable component that exceeds the card width (e.g. "someVeryLongUnbrokenRunNameWithNoHyphensSlashesOrUnderscores/loss/scalar_summary") we would still have the problem. But that seems much less likely with this change in place.