Saturday, September 14, 2013

Somebody is Wrong on the Internet


I will not go to bed until this particular fool is disabused:So yeah, I was wrong about that one. But that is one of the many benefits of blogging daily—I make a fool of myself so often that I am long past the days of caring that people realize that I am capable of making foolish mistakes.

I was convinced of this particular mistake for several days. So convinced was I, that I devised a plan to work around this: use <button> tags instead of <a> tags. But as I was prepping for today's post, a funny thing happened. I could not reproduced the error.

This particular error would have occurred when I was introducing the clear superiority of Dart strings in Dart for Hipsters. They can be multi-line and have nice value interpolation:
graphic_novel_template(graphic_novel) {
  return '''
    <li id="${graphic_novel['id']}">
      ${graphic_novel['title']}
      <a href="#" class="delete">[delete]</a>
    </li>''';
}
As my tweet indicates, I thought the href attribute was running afoul of Dart's HTML sanitization censors, but, now that I try to load the page up to address it, I find:



So what prompted my hissy fit? Well, it turns out that I was running my test suite from file://. That, it turns out, does set off sanitization alarms:
Removing disallowed attribute <A href="#"> 
If I want to allow that href attribute, I need to specify a custom HTML validator when assigning raw HTML:
    list_el.setInnerHtml(
      graphic_novels_template(list),
      validator: new NodeValidatorBuilder()
        ..allowTextElements()
        ..allowHtml5()
        ..allowElement('a', attributes: ['href'])
    );
I doubt that I will include that in my code just to appease my tests—especially since this is chapter one. Still, it is good to know how to accomplish it should I need it elsewhere. I am also beginning to understand the benefit of building HTML validation policies in this manner—it is fairly easy to build a policy that is nicely tailored to my needs in this particular instance. Plus, I am 100% assured that I cannot make a later coding mistake that sees an invalid element or attribute slip into my page.

I still rather wish for a way to de-taint strings in order to avoid validation in certain circumstances. But perhaps a few more foolish statements on my part will make me come around.


Day #874

2 comments:

  1. I had this bug, googled it and thank you for blogging about it. This is another reason why blogging daily, no matter how raw, benefits others. Thank you, yet again, Prof. Strom :)

    ReplyDelete