Merge pull request #133 from liveview-native/bc-fix-attribute-value-s…

…afe-bug Fix attribute value safe bug
liveview-native · Feb 21, 2024 · e6aa92a · e6aa92a
2 parents 8bffbc2 + cc0fbcd
commit e6aa92a
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 7 deletions.
diff --git a/lib/live_view_native/template.ex b/lib/live_view_native/template.ex
@@ -10,9 +10,6 @@ defmodule LiveViewNative.Template do
     end)
   end
 
-  def escape({:safe, _} = safe), do: safe
-  def escape(other), do: {:safe, LiveViewNative.Engine.encode_to_iodata!(other)}
-
   def attributes_escape(attrs) when is_list(attrs) do
     {:safe, build_attrs(attrs)}
   end
@@ -22,7 +19,7 @@ defmodule LiveViewNative.Template do
   end
 
   defp build_attrs([{k, true} | t]),
-  do: [?\s, key_escape(k) | build_attrs(t)]
+    do: [?\s, key_escape(k) | build_attrs(t)]
 
   defp build_attrs([{_, false} | t]),
     do: build_attrs(t)
@@ -104,6 +101,6 @@ defmodule LiveViewNative.Template do
   defp attr_escape(attr)
   defp attr_escape({:safe, data}), do: data
   defp attr_escape(nil), do: []
-  defp attr_escape(other) when is_binary(other), do: LiveViewNative.Template.escape(other)
+  defp attr_escape(other) when is_binary(other), do: Phoenix.HTML.Engine.html_escape(other)
   defp attr_escape(other), do: LiveViewNative.Template.Safe.to_iodata(other)
 end
diff --git a/lib/live_view_native/template/safe.ex b/lib/live_view_native/template/safe.ex
@@ -35,7 +35,7 @@ defimpl LiveViewNative.Template.Safe, for: Atom do
 end
 
 defimpl LiveViewNative.Template.Safe, for: BitString do
-  defdelegate to_iodata(data), to: LiveViewNative.Template, as: :escape
+  defdelegate to_iodata(data), to: Phoenix.HTML, as: :html_escape
 end
 
 defimpl LiveViewNative.Template.Safe, for: Time do

diff --git a/mix.exs b/mix.exs
@@ -34,6 +34,7 @@ defmodule LiveViewNative.MixProject do
       {:phoenix_live_view, github: "phoenixframework/phoenix_live_view", ref: "4939fb8", override: true},
       {:phoenix_live_reload, "~> 1.4", only: :test},
       {:phoenix_template, "~> 1.0.4"},
+      {:phoenix_html, "~> 3.3 or ~> 4.0 or ~> 4.1"},
       {:floki, ">= 0.30.0", only: :test},
       {:plug, "~> 1.15"},
       {:jason, "~> 1.2"},

diff --git a/test/live_view_native/template_test.exs b/test/live_view_native/template_test.exs
@@ -2,16 +2,64 @@ defmodule LiveViewNative.TemplateTest do
   use ExUnit.Case, async: false
   import LiveViewNative.Component, only: [sigil_LVN: 2]
 
+  describe "value embedding" do
+    test "can embed values with EEx statement" do
+      assigns = %{foo: "bar"}
+
+      assert ~LVN"""
+      <Foo><%= @foo %></Foo>
+      """
+      |> render() =~ ~S(<Foo>bar</Foo>)
+    end
+
+    test "can embed values from maps" do
+      data = %{"foo" => "bar"}
+      assigns = %{data: data}
+
+      assert ~LVN"""
+      <Foo><%= @data["foo"] %></Foo>
+      """
+      |> render() =~ ~S(<Foo>bar</Foo>)
+    end
+  end
+
   describe "attributes" do
     test "won't stringify attribute names" do
       assigns = %{}
 
       assert ~LVN"""
-      <Foo foo_bar = "123" />
+      <Foo foo_bar="123" />
       """
       |> render() =~ ~S(<Foo foo_bar="123"></Foo>)
     end
 
+    test "accepts string values" do
+      assigns = %{}
+
+      assert ~LVN"""
+      <Foo foo={"bar"} />
+      """
+      |> render() =~ ~S(<Foo foo="bar"></Foo>)
+    end
+
+    test "accepts values from maps" do
+      assigns = %{}
+
+      assert ~LVN"""
+      <Foo foo={%{"foo" => "bar"}["foo"]} />
+      """
+      |> render() =~ ~S(<Foo foo="bar"></Foo>)
+    end
+
+    test "accepts values from lists" do
+      assigns = %{}
+
+      assert ~LVN"""
+      <Foo foo={[foo: "bar"][:foo]} />
+      """
+      |> render() =~ ~S(<Foo foo="bar"></Foo>)
+    end
+
     test "accepts numbers for id" do
       assigns = %{}