Implement allowUnsafeSymbols option (which defaults to false) for he.encode
#23
Conversation
|
Your patch looks good so far. Some remarks:
By the way, this would solve #16. Note that this new option should not be used in cases where the markup can contain custom elements, since those can contain all kinds of symbols and escaping e.g. |
|
@mathiasbynens I've renamed the option, but I have a few questions about your other requests:
|
Thanks for your work on this so far! |
|
@mathiasbynens Thanks for the clarification. I've held off on renaming the existing method because I'm not sure it resolves the ambiguity, and the suggestion seemed more like an afterthought. Of course, I'm happy to change it if you would like me to! The By the way, I expect you'll want to squash all this down when we get to a final draft. I'd be happy to do that too, just let me know. |
| @@ -106,7 +106,7 @@ he.encode('foo © bar ≠ baz 𝌆 qux', { | |||
|
|
|||
| #### `encodeEverything` | |||
|
|
|||
| The default value for the `encodeEverything` option is `false`. This means that `encode()` will not use any character references for printable ASCII symbols that don’t need escaping. Set it to `true` to encode every symbol in the input string. | |||
| The default value for the `encodeEverything` option is `false`. This means that `encode()` will not use any character references for printable ASCII symbols that don’t need escaping. Set it to `true` to encode every symbol in the input string. When set to `true`, this option will take precedence over `encodeUnsageSymbols` (setting the latter to `false` will have no effect). | |||
|
@jugglinmike Your arguments convinced me that |
|
Thanks for the feedback, @mathiasbynens — I think I've addressed it all. |
| he.encode('foo © and & ampersand'); | ||
| // → 'foo © and & ampersand' | ||
| ``` | ||
|
|
There was a problem hiding this comment.
The docs for he.encode() should be updated too (maybe the first paragraph can just get a link to this section). I can do this after merging your PR, no worries.
|
This looks great! Could you squash your commits please? If you don’t want to fix those last few nitpicks I just left as comments, no worries, I’m happy to take care of them after merging your patch. Just let me know. |
|
No problem at all, Mathias. I am a bit busy this week, so I don't expect to address these final issues until Saturday. If you'd like to see this merged before then, though, be my guest :) |
Although `he.escape` allows for escaping "unsafe" markup characters, there is currently no way to escape the inverse set--non-ASCII characters only. This missing functionality is useful in contexts where markup is allowed, but non-ASCII characters might be otherwise mangled (as in the iframe `srcdoc` attribute, for example). Introduce a new option to `he.encode` which disables the escaping of unsafe markup characters. Preserve API compatability by disabling this behavior by default.
jugglinmike
force-pushed
the
markupchars-option
branch
from
c6d1e9b to
37f0e29
Compare
|
@mathiasbynens I've fixed the typo, squashed the commits, and updated the commit message. I held off on the |
mathiasbynens
changed the title
markupChars option for he.encodeallowUnsafeSymbols option (which defaults to false) for he.encode
Although `he.escape` allows for escaping ‘unsafe’ markup characters, there is currently no way to escape the inverse set – non-ASCII characters only. This missing functionality is useful in contexts where markup is allowed, but non-ASCII characters might be otherwise mangled (as in the `iframe` `srcdoc` attribute, for example). Introduce a new option to `he.encode` which disables the escaping of unsafe markup characters. Preserve API compatability by disabling this behavior by default. Closes #16 and #23.
|
Thanks, I’ve tweaked your patch and merged it. Will release a new version now. $ npm install he@0.5.0 --save-dev |
Although `he.escape` allows for escaping ‘unsafe’ markup characters, there is currently no way to escape the inverse set – non-ASCII characters only. This missing functionality is useful in contexts where markup is allowed, but non-ASCII characters might be otherwise mangled (as in the `iframe` `srcdoc` attribute, for example). Introduce a new option to `he.encode` which disables the escaping of unsafe markup characters. Preserve API compatability by disabling this behavior by default. Closes #16 and #23.
|
Awesome--thanks! |
Hey @mathiasbynens!
I'd love to use this library in my polyfill for the iframe
srcdocattribute, but I think I need an additional feature. The functionality I'm proposing here would help me to resolve an issue that was recently filed against that project.Commit message: