Distinguish text content from HTML content

This issue has been tracked since 2022-11-19.

In templates, is there any way to distinguish plain text content from HTML content? Or does the caller need to always escape arbitrary text values?

As a contrived example, in the docs under the "Event" header, if I type <b>bold! into the text box, bold text appears, so it seems I can insert arbitrary HTML. That's fine for hard-coded values, but seems like a security issue for anything derived from user input.

For what it's worth, I like the minimal, modern JS-based approach of ArrowJS, but this seems like a potential footgun :)

justin-schroeder wrote this answer on 2022-11-19

Yeah, this 100% isn't supposed to happen. should be doing an innerText assignment for some reason it isnt, but that should be fairly easy to get fixed I think.

More Details About Repo
Owner Name justin-schroeder
Repo Name arrow-js
Full Name justin-schroeder/arrow-js
Language TypeScript
Created Date 2022-11-08
Updated Date 2023-03-28
Star Count 1240
Watcher Count 21
Fork Count 22
Issue Count 7


Issue Title Created Date Updated Date