-
Notifications
You must be signed in to change notification settings - Fork 47.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom Attributes Scenario 2: Write badly cased attributes. Remove most of whitelist. #10385
Changes from all commits
af36bfa
601eabd
eab17b5
137af3b
55e55ba
2106844
9caa863
84beb33
f406aac
da19306
f09d3f3
aeb2db3
7cbf2f3
b67dd13
dab72d2
000c0df
a77d47b
f661d22
aa3916b
6ce3335
a11b0bd
07c6865
599844e
14d5ea0
99206db
a3c2aef
ca601c6
3e866cf
b7d6996
545bcab
afb609e
71871c4
3281320
19bfbaf
6df8b4f
cb57075
21678fc
90b4cce
fa3db62
21db719
c2c3d63
7f16b4d
3908cd3
2479fcc
8162222
e9c8910
6b1572a
cf1b0d7
b923740
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -13,6 +13,21 @@ | |
|
||
var invariant = require('fbjs/lib/invariant'); | ||
|
||
// These attributes should be all lowercase to allow for | ||
// case insensitive checks | ||
var RESERVED_PROPS = { | ||
children: true, | ||
dangerouslysetinnerhtml: true, | ||
autofocus: true, | ||
defaultvalue: true, | ||
defaultchecked: true, | ||
innerhtml: true, | ||
suppresscontenteditablewarning: true, | ||
onfocusin: true, | ||
onfocusout: true, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. These two are currently not validated at all. If I type <div onfocusin={function() {}} /> it will silently ignore it. I would expect it to warn. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good catch. I these from I think we just need to make the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Works for me. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'll get this. |
||
style: true, | ||
}; | ||
|
||
function checkMask(value, bitmask) { | ||
return (value & bitmask) === bitmask; | ||
} | ||
|
@@ -32,11 +47,6 @@ var DOMPropertyInjection = { | |
* Inject some specialized knowledge about the DOM. This takes a config object | ||
* with the following properties: | ||
* | ||
* isCustomAttribute: function that given an attribute name will return true | ||
* if it can be inserted into the DOM verbatim. Useful for data-* or aria-* | ||
* attributes where it's impossible to enumerate all of the possible | ||
* attribute names, | ||
* | ||
* Properties: object mapping DOM property name to one of the | ||
* DOMPropertyInjection constants or null. If your attribute isn't in here, | ||
* it won't get written to the DOM. | ||
|
@@ -61,15 +71,8 @@ var DOMPropertyInjection = { | |
var Properties = domPropertyConfig.Properties || {}; | ||
var DOMAttributeNamespaces = domPropertyConfig.DOMAttributeNamespaces || {}; | ||
var DOMAttributeNames = domPropertyConfig.DOMAttributeNames || {}; | ||
var DOMPropertyNames = domPropertyConfig.DOMPropertyNames || {}; | ||
var DOMMutationMethods = domPropertyConfig.DOMMutationMethods || {}; | ||
|
||
if (domPropertyConfig.isCustomAttribute) { | ||
DOMProperty._isCustomAttributeFunctions.push( | ||
domPropertyConfig.isCustomAttribute, | ||
); | ||
} | ||
|
||
for (var propName in Properties) { | ||
invariant( | ||
!DOMProperty.properties.hasOwnProperty(propName), | ||
|
@@ -111,30 +114,24 @@ var DOMPropertyInjection = { | |
propName, | ||
); | ||
|
||
if (__DEV__) { | ||
DOMProperty.getPossibleStandardName[lowerCased] = propName; | ||
} | ||
|
||
if (DOMAttributeNames.hasOwnProperty(propName)) { | ||
var attributeName = DOMAttributeNames[propName]; | ||
|
||
propertyInfo.attributeName = attributeName; | ||
if (__DEV__) { | ||
DOMProperty.getPossibleStandardName[attributeName] = propName; | ||
} | ||
} | ||
|
||
if (DOMAttributeNamespaces.hasOwnProperty(propName)) { | ||
propertyInfo.attributeNamespace = DOMAttributeNamespaces[propName]; | ||
} | ||
|
||
if (DOMPropertyNames.hasOwnProperty(propName)) { | ||
propertyInfo.propertyName = DOMPropertyNames[propName]; | ||
} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. DOMPropertyNames is not used by any injection. |
||
|
||
if (DOMMutationMethods.hasOwnProperty(propName)) { | ||
propertyInfo.mutationMethod = DOMMutationMethods[propName]; | ||
} | ||
|
||
// Downcase references to whitelist properties to check for membership | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Where do these become lowercase? This comment confused me a bit because I expected to find |
||
// without case-sensitivity. This allows the whitelist to pick up | ||
// `allowfullscreen`, which should be written using the property configuration | ||
// for `allowFullscreen` | ||
DOMProperty.properties[propName] = propertyInfo; | ||
} | ||
}, | ||
|
@@ -197,33 +194,58 @@ var DOMProperty = { | |
properties: {}, | ||
|
||
/** | ||
* Mapping from lowercase property names to the properly cased version, used | ||
* to warn in the case of missing properties. Available only in __DEV__. | ||
* | ||
* autofocus is predefined, because adding it to the property whitelist | ||
* causes unintended side effects. | ||
* | ||
* @type {Object} | ||
* Checks whether a property name is a writeable attribute. | ||
* @method | ||
*/ | ||
getPossibleStandardName: __DEV__ ? {autofocus: 'autoFocus'} : null, | ||
shouldSetAttribute: function(name, value) { | ||
if (DOMProperty.isReservedProp(name)) { | ||
return false; | ||
} | ||
|
||
/** | ||
* All of the isCustomAttribute() functions that have been injected. | ||
*/ | ||
_isCustomAttributeFunctions: [], | ||
if (value === null) { | ||
return true; | ||
} | ||
|
||
/** | ||
* Checks whether a property name is a custom attribute. | ||
* @method | ||
*/ | ||
isCustomAttribute: function(attributeName) { | ||
for (var i = 0; i < DOMProperty._isCustomAttributeFunctions.length; i++) { | ||
var isCustomAttributeFn = DOMProperty._isCustomAttributeFunctions[i]; | ||
if (isCustomAttributeFn(attributeName)) { | ||
var lowerCased = name.toLowerCase(); | ||
|
||
var propertyInfo = DOMProperty.properties[name]; | ||
|
||
switch (typeof value) { | ||
case 'boolean': | ||
if (propertyInfo) { | ||
return true; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @sebmarkbage I'd like to figure out how much Likewise for numeric fields (which we've dropped from the whitelist, except for things like I think this might have mattered back when they were assigned as properties. I'd have to do some archeology. Dan and I made the call to keep their property info the same as 15.x, but I still can't help but wonder. |
||
} | ||
var prefix = lowerCased.slice(0, 5); | ||
return prefix === 'data-' || prefix === 'aria-'; | ||
case 'undefined': | ||
case 'number': | ||
case 'string': | ||
return true; | ||
} | ||
case 'object': | ||
return true; | ||
default: | ||
// function, symbol | ||
return false; | ||
} | ||
return false; | ||
}, | ||
|
||
getPropertyInfo(name) { | ||
return DOMProperty.properties.hasOwnProperty(name) | ||
? DOMProperty.properties[name] | ||
: null; | ||
}, | ||
|
||
/** | ||
* Checks to see if a property name is within the list of properties | ||
* reserved for internal React operations. These properties should | ||
* not be set on an HTML element. | ||
* | ||
* @private | ||
* @param {string} name | ||
* @return {boolean} If the name is within reserved props | ||
*/ | ||
isReservedProp(name) { | ||
return RESERVED_PROPS.hasOwnProperty(name.toLowerCase()); | ||
}, | ||
|
||
injection: DOMPropertyInjection, | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is slightly confusing because if I use it, it says:
But then if I try
innerHTML
, of course it isn’t supported:It seems better if the same warning was displayed immediately (or if we just got a generic "unknown property" warning for wrong casing like
innerhtml
).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm working on making the warning for
onFocusIn
andonFocusOut
case insensitive. I can do that for innerHTML too.These show up in
assertValidProps
:https://github.com/facebook/react/blob/master/src/renderers/dom/shared/utils/assertValidProps.js
The easiest thing to do is move them to
ReactDOMUnknownPropertyHook
.