README.md in draftjs_html-0.4.0 vs README.md in draftjs_html-0.5.0
- old
+ new
@@ -57,12 +57,12 @@
},
}
DraftjsHtml.to_html(raw_draftjs, options: {
entity_style_mappings: {
- abc: ->(entity, content) {
- %Q{<a href="https://example.com/?id=#{entity.data['user_id']}">#{content}</a>}
+ abc: ->(entity, content, *) {
+ DraftjsHtml::Node.new('a', { href: "https://example.com/?id=#{entity.data['user_id']}" }, content)
},
},
}) # => <p>Hello <a href="https://example.com/?id=123">@Arya</a></p>
```
@@ -79,12 +79,13 @@
#### `:entity_style_mappings`
Allows the author to specify special mapping functions for entities.
By default, we render `LINK` and `IMAGE` entities using the standard `<a>` and `<img>` tags, respectively.
-The author may supply a Proc object that returns any object Nokogiri can consume for adding to HTML.
-This includes `String`, `Nokogiri::Document::Fragment`, and `Nokogiri::Document` objects.
+The author may supply a `call`-able object that returns a `DraftjsHtml::Node`-able (or similar).
+If returned a String, it's assumed this content is plaintext (or otherwise unsafe) and its content will be coerced to plaintext.
+See the section on HTML Injection protection for more details.
#### `:block_type_mapping`
You may wish to override the default HTML tags used for DraftJS block types.
By default, we convert block types to tags as defined by `DraftjsHtml::ToHtml::BLOCK_TYPE_TO_HTML`.
@@ -126,14 +127,45 @@
```ruby
DraftjsHtml.to_html(raw_draftjs, options: {
inline_style_renderer: ->(style_names, content) {
next if style_names != ['CUSTOM']
- "<pre>#{content}</pre>"
+ Nokogiri::XML::Node.new('pre', document).tap do |node|
+ node.content = content
+ end
},
})
# This would use the default inline style rendering UNLESS the *only* applied style for this range was "CUSTOM"
+```
+
+#### HTML Injection protection
+
+Working with user-generated content can be a dangerous thing.
+While it allows for a lot of flexibility, it also creates some potential attack vectors that you need to be aware of.
+We try to take a "safe by default" stance with this library, and not generate HTML that could be dangerous when we know better.
+
+To facilitate this, we require a little work from you, dear programmer.
+Namely, when specifying special algorithms for generating entities or inline styles, you need to help us keep you safe.
+You can do this by returning a `Nokogiri::XML::Node` or `DraftjsHtml::Node` from any functions you provide that generate HTML.
+This is similar to Ruby on Rails' `#to_html` method, but rather than a monkeypatch, we chose to provide a "marker class" (classes) that we know are safe.
+These classes will handle escaping, encoding, and otherwise "safe generation" for you.
+If you, on the other hand, return a bare `String` from one of the custom render functions, we assume it's _unsafe_ and encode it.
+
+That is, a function like this:
+```ruby
+->(entity, content, document) do
+ "<p>hi!</p>"
+end
+# will become an HTML-entity escaped string (e.g. "<p>hi!</p>")
+```
+
+Where, a function like this:
+```ruby
+->(entity, content, document) do
+ DraftjsHtml::Node.new('p', {}, 'hi!')
+end
+# will nest HTML nodes as you probably want (e.g. "<p>hi!</p>")
```
## Development
After checking out the repo, run `bin/setup` to install dependencies. Then, run