Add JS string escape helper #847

scottwhudson · 2025-02-08T15:32:03Z

Hey Joel 👋,

Thanks for the Phlex library, it feels like what HAML and view components could've been.

We're using it alongside alpine.js and overall very happy with the experience. One issue we're running into is the need to escape strings prior to JS evaluation and our current approach feels slightly cumbersome. I'd love to open a PR to add a JS string escape helper that leverages json_escape and raw under the hood to ensure that we're not exposing ourselves to XSS attacks.

Are you open to a contribution like this?

joeldrapper · 2025-02-09T00:32:46Z

Hey, that sounds like a good idea. Do you have an example of the approach you have in mind? Not the implementation but the interface. What would it look like with alpine?

joeldrapper · 2025-02-10T10:33:36Z

I don’t think we can find automatically escape JSON strings like we can with HTML, so I guess the interface would be just adding a json_escape helper.

def json_escape(string)
  ERB::Util.json_escape(string)
end

scottwhudson · 2025-02-13T18:06:39Z

This is my feeling as well. We don't have a particularly elegant way of dynamically applying the JSON escape logic in the templates automagically without tying the implementation logic to the alpine-specific data attributes. I'll whip up a PR for this.

joeldrapper added this to the 2.1 milestone Feb 12, 2025

joeldrapper assigned scottwhudson Feb 15, 2025

joeldrapper removed this from the 2.1 milestone Feb 15, 2025

joeldrapper mentioned this issue Feb 28, 2025

Add JSON escape helper to Phlex::SGML #872

Merged

joeldrapper closed this as completed in #872 Feb 28, 2025

joeldrapper closed this as completed in fdd7c02 Feb 28, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add JS string escape helper #847

Add JS string escape helper #847

Add JS string escape helper #847

Add JS string escape helper #847

Comments