Agreed, we can, using sigil_E
is not a big deal. But using raw
is not a big deal as well
Drab targets not only experienced users. Imagine you just learned phoenix, made your application with <input>
, and whatever user typed into it, is shown properly escaped. Great! You donāt have to deal with escaping, making your application safer.
Then you are trying Drab. Create an <input>
and poke
(or insert_html
) its value. What do you expect? For me, more natural for beginners would be escaping it by default, just like Phoenix does.
If you need to manually escape every string you push to the browser, you may just simply forgot to do it. I made such mistake in the Drabās demo page! - remember, youāve found it, thanks a lot again
Safe-by-default should be implemented only on the functions, which deal with nodeās innerHTML
, like Element.insert_html
, Query.insert(:html)
and poke
(but only when updating the html, not attribute or property). Low level functions, like exec_js
should stay unescaped, obviously.
Looks like this answer convinced myself to safe-by-default idea