-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Validate the string in context" takes any value and calls "Get Trusted Type compliant string" which requires a TrustedType or a string #488
Comments
Alternatively, perhaps https://w3c.github.io/trusted-types/dist/spec/#html-validate-the-string-in-context could be adapted to take either a TrustedType or a string. Then whatwg/webidl#1392 would require adaptation too. CC @lukewarlow since it might affect above PR. |
Tried to learn from an existing spec: https://dom.spec.whatwg.org/#dom-node-textcontent takes a value and calls https://dom.spec.whatwg.org/#string-replace-all which expects a string. However, the stringification of value to string is not specified. Did I miss anything? CC @domenic |
Yeah you're right the "html" algorithm probably needs updating. I'm not sure what the correct way to do it is though. |
(For |
That makes sense, and because this is before full type conversion it's just a raw value so we should be handling it. |
Why does it follow from IDL? See e.g. https://jsfiddle.net/jmfdasgp/. |
Because the IDL says it's a nullable DOMString so by the time the setter steps are running the value is already either null or stringified. |
Agreed. Where is the conversion from other objects, e.g. from a |
The Object type itself has its own stringifier which is what is being used. |
I'm thinking to solve this we could change Get trusted type compliant string to take any type, and then after step 1 insert a new step that stringifies the value (and throws if it can't stringify, I'm not sure any JS type can't be stringified though?) |
… context Get TT compliant string now takes any value, rather than just string or a TT. It then correctly stringifies this value. Fixes w3c#488
… context Get TT compliant string now takes any value, rather than just string or a TT. It then correctly stringifies this value. Fixes w3c#488
Can this be closed? We're going to be using unions (like |
Yep you're right. I'll close this out. (The algorithm will be removed by a draft PR I have) |
https://w3c.github.io/trusted-types/dist/spec/#html-validate-the-string-in-context
https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm
Should https://w3c.github.io/trusted-types/dist/spec/#html-validate-the-string-in-context try to stringify the value before passing it to https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm?
In any case, when https://w3c.github.io/trusted-types/dist/spec/#html-validate-the-string-in-context 's
value
has no stringifier, https://w3c.github.io/trusted-types/dist/spec/#html-validate-the-string-in-context should presumably throw an exception.The text was updated successfully, but these errors were encountered: