[Fizz] Disallow complex children in <title> elements #24679
Merged
+264
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Comparing: 4f29ba1...d97aacc Critical size changesIncludes critical production bundles, as well as any change greater than 2%:
Significant size changesIncludes any change greater than 0.2%: Expand to show
|
sebmarkbage
reviewed
Jun 6, 2022
| ? children[0] || null | ||
| : children; | ||
| if (Array.isArray(child)) { | ||
| // child will only be an Array if it has lenght > 1 based on how it was constructed |
There was a problem hiding this comment.
It can still be <title>{[['foo']]}</title> which is still fine to make an error but that's not quite the same as what the error message lets on.
There was a problem hiding this comment.
yup, missed that, but got it corrected
sebmarkbage
approved these changes
Jun 6, 2022
<title> Elements in the DOM can only have Text content. In Fizz if more than one text node is emitted an HTML comment node is used as a text separator. Unfortunately because of the content restriction of the DOM representation of the title element this separator is displayed as escaped text which is not what the component author intended. This commit special cases title handling, primarily to issue warnings if you pass complex children to <title>. At the moment title expects to receive a single child or an array of length 1. In both cases the type of that child must be string or number. If anything more complex is provided a warning will be logged to the console explaining why this is problematic. There is no runtime behavior change so broken things are still broken (e.g. returning two text nodes which will cause a separator or using Suspense inside title children) but they should at least be accompanied by warnings that are useful. One edge case that will now warn but won't technically break an application is if you use a Component that returns a single string as a child of title. This is a form of indirection that works but becasue we cannot discriminate between a Component that will follow the rules and one that violates them the warning is issued regardless.
This was referenced Mar 4, 2023
This was referenced Nov 6, 2024
This was referenced Nov 6, 2024
This was referenced Nov 7, 2024
This was referenced Nov 7, 2024
This was referenced Nov 8, 2024
CrispyBaguette
pushed a commit
to CrispyBaguette/wasm-palette-converter
that referenced
this pull request
Nov 8, 2024
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [react](https://reactjs.org/) ([source](https://github.com/facebook/react/tree/HEAD/packages/react)) | dependencies | minor | [`18.1.0` -> `18.3.1`](https://renovatebot.com/diffs/npm/react/18.1.0/18.3.1) | | [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/react) ([source](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react)) | dependencies | minor | [`18.0.9` -> `18.3.12`](https://renovatebot.com/diffs/npm/@types%2freact/18.0.9/18.3.12) | --- ### Release Notes <details> <summary>facebook/react (react)</summary> ### [`v18.3.1`](https://github.com/facebook/react/blob/HEAD/CHANGELOG.md#1831-April-26-2024) [Compare Source](facebook/react@v18.3.0...v18.3.1) - Export `act` from `react` [f1338f](facebook/react@f1338f8) ### [`v18.3.0`](https://github.com/facebook/react/blob/HEAD/CHANGELOG.md#1830-April-25-2024) [Compare Source](facebook/react@v18.2.0...v18.3.0) This release is identical to 18.2 but adds warnings for deprecated APIs and other changes that are needed for React 19. Read the [React 19 Upgrade Guide](https://react.dev/blog/2024/04/25/react-19-upgrade-guide) for more info. ##### React - Allow writing to `this.refs` to support string ref codemod [909071](facebook/react@9090712) - Warn for deprecated `findDOMNode` outside StrictMode [c3b283](facebook/react@c3b2839) - Warn for deprecated `test-utils` methods [d4ea75](facebook/react@d4ea75d) - Warn for deprecated Legacy Context outside StrictMode [415ee0](facebook/react@415ee0e) - Warn for deprecated string refs outside StrictMode [#​25383](facebook/react#25383) - Warn for deprecated `defaultProps` for function components [#​25699](facebook/react#25699) - Warn when spreading `key` [#​25697](facebook/react#25697) - Warn when using `act` from `test-utils` [d4ea75](facebook/react@d4ea75d) ##### React DOM - Warn for deprecated `unmountComponentAtNode` [8a015b](facebook/react@8a015b6) - Warn for deprecated `renderToStaticNodeStream` [#​28874](facebook/react#28874) ### [`v18.2.0`](https://github.com/facebook/react/blob/HEAD/CHANGELOG.md#1820-June-14-2022) [Compare Source](facebook/react@v18.1.0...v18.2.0) ##### React DOM - Provide a component stack as a second argument to `onRecoverableError`. ([@​gnoff](https://github.com/gnoff) in [#​24591](facebook/react#24591)) - Fix hydrating into `document` causing a blank page on mismatch. ([@​gnoff](https://github.com/gnoff) in [#​24523](facebook/react#24523)) - Fix false positive hydration errors with Suspense. ([@​gnoff](https://github.com/gnoff) in [#​24480](facebook/react#24480) and [@​acdlite](https://github.com/acdlite) in [#​24532](facebook/react#24532)) - Fix ignored `setState` in Safari when adding an iframe. ([@​gaearon](https://github.com/gaearon) in [#​24459](facebook/react#24459)) ##### React DOM Server - Pass information about server errors to the client. ([@​salazarm](https://github.com/salazarm) and [@​gnoff](https://github.com/gnoff) in [#​24551](facebook/react#24551) and [#​24591](facebook/react#24591)) - Allow to provide a reason when aborting the HTML stream. ([@​gnoff](https://github.com/gnoff) in [#​24680](facebook/react#24680)) - Eliminate extraneous text separators in the HTML where possible. ([@​gnoff](https://github.com/gnoff) in [#​24630](facebook/react#24630)) - Disallow complex children inside `<title>` elements to match the browser constraints. ([@​gnoff](https://github.com/gnoff) in [#​24679](facebook/react#24679)) - Fix buffering in some worker environments by explicitly setting `highWaterMark` to `0`. ([@​jplhomer](https://github.com/jplhomer) in [#​24641](facebook/react#24641)) ##### Server Components (Experimental) - Add support for `useId()` inside Server Components. ([@​gnoff](https://github.com/gnoff) in [#​24172](facebook/react#24172)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xNDIuNSIsInVwZGF0ZWRJblZlciI6IjM4LjE0Mi41IiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=--> Reviewed-on: https://gitea.bruyant.xyz/alexandre/PaletteSwitcher/pulls/49 Co-authored-by: Renovate <[email protected]> Co-committed-by: Renovate <[email protected]>
This was referenced Nov 9, 2024
CrispyBaguette
pushed a commit
to CrispyBaguette/wasm-palette-converter
that referenced
this pull request
Nov 9, 2024
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [react-dom](https://reactjs.org/) ([source](https://github.com/facebook/react/tree/HEAD/packages/react-dom)) | dependencies | minor | [`18.1.0` -> `18.3.1`](https://renovatebot.com/diffs/npm/react-dom/18.1.0/18.3.1) | | [@types/react-dom](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/react-dom) ([source](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react-dom)) | devDependencies | minor | [`18.0.3` -> `18.3.1`](https://renovatebot.com/diffs/npm/@types%2freact-dom/18.0.3/18.3.1) | --- ### Release Notes <details> <summary>facebook/react (react-dom)</summary> ### [`v18.3.1`](https://github.com/facebook/react/blob/HEAD/CHANGELOG.md#1831-April-26-2024) [Compare Source](facebook/react@v18.3.0...v18.3.1) - Export `act` from `react` [f1338f](facebook/react@f1338f8) ### [`v18.3.0`](https://github.com/facebook/react/blob/HEAD/CHANGELOG.md#1830-April-25-2024) [Compare Source](facebook/react@v18.2.0...v18.3.0) This release is identical to 18.2 but adds warnings for deprecated APIs and other changes that are needed for React 19. Read the [React 19 Upgrade Guide](https://react.dev/blog/2024/04/25/react-19-upgrade-guide) for more info. ##### React - Allow writing to `this.refs` to support string ref codemod [909071](facebook/react@9090712) - Warn for deprecated `findDOMNode` outside StrictMode [c3b283](facebook/react@c3b2839) - Warn for deprecated `test-utils` methods [d4ea75](facebook/react@d4ea75d) - Warn for deprecated Legacy Context outside StrictMode [415ee0](facebook/react@415ee0e) - Warn for deprecated string refs outside StrictMode [#​25383](facebook/react#25383) - Warn for deprecated `defaultProps` for function components [#​25699](facebook/react#25699) - Warn when spreading `key` [#​25697](facebook/react#25697) - Warn when using `act` from `test-utils` [d4ea75](facebook/react@d4ea75d) ##### React DOM - Warn for deprecated `unmountComponentAtNode` [8a015b](facebook/react@8a015b6) - Warn for deprecated `renderToStaticNodeStream` [#​28874](facebook/react#28874) ### [`v18.2.0`](https://github.com/facebook/react/blob/HEAD/CHANGELOG.md#1820-June-14-2022) [Compare Source](facebook/react@v18.1.0...v18.2.0) ##### React DOM - Provide a component stack as a second argument to `onRecoverableError`. ([@​gnoff](https://github.com/gnoff) in [#​24591](facebook/react#24591)) - Fix hydrating into `document` causing a blank page on mismatch. ([@​gnoff](https://github.com/gnoff) in [#​24523](facebook/react#24523)) - Fix false positive hydration errors with Suspense. ([@​gnoff](https://github.com/gnoff) in [#​24480](facebook/react#24480) and [@​acdlite](https://github.com/acdlite) in [#​24532](facebook/react#24532)) - Fix ignored `setState` in Safari when adding an iframe. ([@​gaearon](https://github.com/gaearon) in [#​24459](facebook/react#24459)) ##### React DOM Server - Pass information about server errors to the client. ([@​salazarm](https://github.com/salazarm) and [@​gnoff](https://github.com/gnoff) in [#​24551](facebook/react#24551) and [#​24591](facebook/react#24591)) - Allow to provide a reason when aborting the HTML stream. ([@​gnoff](https://github.com/gnoff) in [#​24680](facebook/react#24680)) - Eliminate extraneous text separators in the HTML where possible. ([@​gnoff](https://github.com/gnoff) in [#​24630](facebook/react#24630)) - Disallow complex children inside `<title>` elements to match the browser constraints. ([@​gnoff](https://github.com/gnoff) in [#​24679](facebook/react#24679)) - Fix buffering in some worker environments by explicitly setting `highWaterMark` to `0`. ([@​jplhomer](https://github.com/jplhomer) in [#​24641](facebook/react#24641)) ##### Server Components (Experimental) - Add support for `useId()` inside Server Components. ([@​gnoff](https://github.com/gnoff) in [#​24172](facebook/react#24172)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xNDIuNyIsInVwZGF0ZWRJblZlciI6IjM4LjE0Mi43IiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=--> Reviewed-on: https://gitea.bruyant.xyz/alexandre/PaletteSwitcher/pulls/50 Co-authored-by: Renovate <[email protected]> Co-committed-by: Renovate <[email protected]>
This was referenced Nov 10, 2024
This was referenced Nov 10, 2024
This was referenced Nov 10, 2024
This was referenced Nov 12, 2024
This was referenced Nov 12, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit special cases title handling, primarily to issue warnings if you pass complex children to <title>. At the moment title expects to receive a single child or an array of length 1. In both cases the type of that child must be string or number. If anything more complex is provided a warning will be logged to the console explaining why this is problematic.
There is no runtime behavior change so broken things are still broken (e.g. returning two text nodes which will cause a separator or using Suspense inside title children) but they should at least be accompanied by warnings that are useful.
One edge case that will now warn but won't technically break an application is if you use a Component that returns a single string as a child of title. This is a form of indirection that works but becasue we cannot discriminate between a Component that will follow the rules and one that violates them the warning is issued regardless.