{{{triples}}}

[Rich-Harris]

We'll eventually need some way to inject arbitrary (sanitized? or is that the dev's responsibility?) HTML

[evs-chris]

I think sanitation is largely out of scope here. I'd say allow an optional hook to modify the resulting DOM before dropping it onto the page. If you wanted to make the dev's life a bit simpler, perhaps that hook could be for a visitor function called to filter each node down the resultant DOM tree.

[Rich-Harris]

I think sanitation is largely out of scope here

👍 yeah, reflecting on it a bit I think you're right

[NekR]

I think sanitization should be the default. It's more often when you need sanitized output than not.

[Rich-Harris]

That definitely hasn't been my experience. The only time you need sanitisation is if you're rendering user input – every time I've used triples it's been to render e.g. a chunk of markdown that I wrote. Also, there are different forms/levels of sanitisation, and you penalise the majority of users if you include all the sanitisation code for everyone who uses triples.

[NekR]

@Rich-Harris I don't really know how write apps, maybe you always work with people who don't make mistakes, but from my experience people always do and keep forgetting to use the syntax with sanitization. So even if that's only for user's input, it totally makes sense to have sanitization by default.

I don't mean triples here actually, I mean default interpolation syntax should sanitize and have a syntax to explicitly bypass it.

P.S. "should" in an ideal template engine (or whatever with templates) for me. Not that I'm telling to you what you should do or not :-)

[evs-chris]

@NekR the regular interpolators only create text nodes, so there's really nothing to sanitize there. If you want to drop html into the template from a string, you would have to use a triple.

[NekR]

@evs-chris I see. That makes sense and that's exactly what I meant. Sorry for misunderstanding.

[Rich-Harris]

P.S. "should" in an ideal template engine (or whatever with templates) for me

Makes me think maybe browsers should be responsible for that – maybe a new API, e.g. as well as node.innerHTML = something there should be a node.safeInnerHTML = something. That way you'd have a clearly defined spec determining what is considered 'safe' and what constitutes an XSS vector etc, no room for framework authors to bork things up. One day...

[PaulBGD]

@Rich-Harris Is Node.textContent what you're looking for?
https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent

[azu]

IE has toStaticHTML method, but it is non-standard...

[jacobmischka]

@PaulBGD textContent is what regular {{ }} mustaches do already, this thread is about inserting HTML, which textContent cannot do, and a magical safeInnerHTML could do safely.

[Swatinem]

The way I implemented it in #124 btw is without sanitization. I think its the responsibility of the template author to do that, and it would be as simple as definiting a helper and calling {{{sanitize(rawHtml)}}}