mirror of
https://github.com/bigskysoftware/htmx.git
synced 2025-09-27 13:01:03 +00:00
Fix hx-on/hx-on:* to suppress evaluation if allowEval is false (#1682)
* Added more tests for allowEval=false * Wrap hx-on event handlers in maybeEval * Create and cache hx-on function on first event trigger.
This commit is contained in:
Mark Gibson
GitHub
parent
212c9fbd3a
commit
94623d1129
12
src/htmx.js
12
src/htmx.js
@ -1929,18 +1929,22 @@ return (function () {
|
||||
function addHxOnEventHandler(elt, eventName, code) {
|
||||
var nodeData = getInternalData(elt);
|
||||
nodeData.onHandlers = [];
|
||||
var func = new Function("event", code + "; return;");
|
||||
var func;
|
||||
var listener = function (e) {
|
||||
return func.call(elt, e);
|
||||
return maybeEval(elt, function() {
|
||||
if (!func) {
|
||||
func = new Function("event", code);
|
||||
}
|
||||
func.call(elt, e);
|
||||
});
|
||||
};
|
||||
elt.addEventListener(eventName, listener);
|
||||
nodeData.onHandlers.push({event:eventName, listener:listener});
|
||||
return {nodeData:nodeData, code:code, func:func, listener:listener};
|
||||
}
|
||||
|
||||
function processHxOn(elt) {
|
||||
var hxOnValue = getAttributeValue(elt, 'hx-on');
|
||||
if (hxOnValue && htmx.config.allowEval) {
|
||||
if (hxOnValue) {
|
||||
var handlers = {}
|
||||
var lines = hxOnValue.split("\n");
|
||||
var currentEvent = null;
|
||||
|
||||
@ -130,4 +130,21 @@ describe("hx-on:* attribute", function() {
|
||||
delete window.tempCount;
|
||||
});
|
||||
|
||||
it("is not evaluated when allowEval is false", function () {
|
||||
var calledEvent = false;
|
||||
var handler = htmx.on("htmx:evalDisallowedError", function(){
|
||||
calledEvent = true;
|
||||
});
|
||||
htmx.config.allowEval = false;
|
||||
try {
|
||||
var btn = make("<button hx-on:click='window.foo = true'>Foo</button>");
|
||||
btn.click();
|
||||
should.not.exist(window.foo);
|
||||
} finally {
|
||||
htmx.config.allowEval = true;
|
||||
htmx.off("htmx:evalDisallowedError", handler);
|
||||
delete window.foo;
|
||||
}
|
||||
calledEvent.should.equal(true);
|
||||
});
|
||||
});
|
||||
|
||||
@ -119,4 +119,21 @@ describe("hx-on attribute", function() {
|
||||
delete window.tempCount;
|
||||
});
|
||||
|
||||
it("is not evaluated when allowEval is false", function () {
|
||||
var calledEvent = false;
|
||||
var handler = htmx.on("htmx:evalDisallowedError", function(){
|
||||
calledEvent = true;
|
||||
});
|
||||
htmx.config.allowEval = false;
|
||||
try {
|
||||
var btn = make("<button hx-on='click: window.foo = true'>Foo</button>");
|
||||
btn.click();
|
||||
should.not.exist(window.foo);
|
||||
} finally {
|
||||
htmx.config.allowEval = true;
|
||||
htmx.off("htmx:evalDisallowedError", handler);
|
||||
delete window.foo;
|
||||
}
|
||||
calledEvent.should.equal(true);
|
||||
});
|
||||
});
|
||||
|
||||
@ -252,4 +252,49 @@ describe("hx-vals attribute", function() {
|
||||
div.innerHTML.should.equal("Clicked!");
|
||||
});
|
||||
|
||||
it('javascript: is not evaluated when allowEval is false', function () {
|
||||
var calledEvent = false;
|
||||
var handler = htmx.on("htmx:evalDisallowedError", function(){
|
||||
calledEvent = true;
|
||||
});
|
||||
try {
|
||||
htmx.config.allowEval = false;
|
||||
this.server.respondWith("POST", "/vars", function (xhr) {
|
||||
var params = getParameters(xhr);
|
||||
should.not.exist(params['i1']);
|
||||
xhr.respond(200, {}, "Clicked!")
|
||||
});
|
||||
var div = make('<div hx-post="/vars" hx-vals="javascript:i1:\'test\'"></div>')
|
||||
div.click();
|
||||
this.server.respond();
|
||||
div.innerHTML.should.equal("Clicked!");
|
||||
} finally {
|
||||
htmx.config.allowEval = true;
|
||||
htmx.off("htmx:evalDisallowedError", handler);
|
||||
}
|
||||
calledEvent.should.equal(true);
|
||||
});
|
||||
|
||||
it('js: is not evaluated when allowEval is false', function () {
|
||||
var calledEvent = false;
|
||||
var handler = htmx.on("htmx:evalDisallowedError", function(){
|
||||
calledEvent = true;
|
||||
});
|
||||
try {
|
||||
htmx.config.allowEval = false;
|
||||
this.server.respondWith("POST", "/vars", function (xhr) {
|
||||
var params = getParameters(xhr);
|
||||
should.not.exist(params['i1']);
|
||||
xhr.respond(200, {}, "Clicked!")
|
||||
});
|
||||
var div = make('<div hx-post="/vars" hx-vals="js:i1:\'test\'"></div>')
|
||||
div.click();
|
||||
this.server.respond();
|
||||
div.innerHTML.should.equal("Clicked!");
|
||||
} finally {
|
||||
htmx.config.allowEval = true;
|
||||
htmx.off("htmx:evalDisallowedError", handler);
|
||||
}
|
||||
calledEvent.should.equal(true);
|
||||
});
|
||||
});
|
||||
|
||||
@ -152,4 +152,26 @@ describe("hx-vars attribute", function() {
|
||||
div.innerHTML.should.equal("Clicked!");
|
||||
});
|
||||
|
||||
it('is not evaluated when allowEval is false', function () {
|
||||
var calledEvent = false;
|
||||
var handler = htmx.on("htmx:evalDisallowedError", function(){
|
||||
calledEvent = true;
|
||||
});
|
||||
try {
|
||||
htmx.config.allowEval = false;
|
||||
this.server.respondWith("POST", "/vars", function (xhr) {
|
||||
var params = getParameters(xhr);
|
||||
should.not.exist(params['i1']);
|
||||
xhr.respond(200, {}, "Clicked!")
|
||||
});
|
||||
var div = make('<div hx-post="/vars" hx-vals="javascript:i1:\'test\'"></div>')
|
||||
div.click();
|
||||
this.server.respond();
|
||||
div.innerHTML.should.equal("Clicked!");
|
||||
} finally {
|
||||
htmx.config.allowEval = true;
|
||||
htmx.off("htmx:evalDisallowedError", handler);
|
||||
}
|
||||
calledEvent.should.equal(true);
|
||||
});
|
||||
});
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user