Fix Bug 1457233 - Allow AS router message content to include subset of HTML #4162
Conversation
There was a problem hiding this comment.
The reason the spread syntax isn't working is that node_modules is excluded in the rule in webpack.config.js. If you change /node_modules/ to /node_modules\/(?!(fluent|fluent-react)\/).*/, it should work. That said, using externals will side-step this problem.
| @@ -1,3 +1,4 @@ | |||
| import "regenerator-runtime/runtime"; | |||
There was a problem hiding this comment.
Hm, I see the issue when I tried building this. The syntax that seems to be causing the issue isfor await (const x of iterable), which seems weird to me – we could try to figure this out, however I think the easiest way to deal with this is to use the external (i.e. manually copy node_modules/fluent/fluent.js and node_modules/fluent-react/fluent-react.js). Have you tried that?
There was a problem hiding this comment.
After some more investigation async iterator support seemed to have landed in acorn 5.4.0 (see https://github.com/acornjs/acorn/releases/tag/5.4.0), so the same bug that is causing our object rest spread bug is also causing this :(
| @@ -1,6 +1,8 @@ | |||
| import {actionCreators as ac, ASRouterActions as ra} from "common/Actions.jsm"; | |||
| import {OUTGOING_MESSAGE_NAME as AS_GENERAL_OUTGOING_MESSAGE_NAME} from "content-src/lib/init-store"; | |||
| import {ImpressionsWrapper} from "./components/ImpressionsWrapper/ImpressionsWrapper"; | |||
| import {LocalizationProvider} from "fluent-react"; | |||
| import {MessageContext} from "fluent/compat"; | |||
There was a problem hiding this comment.
if you're using fluent/compat you'll need to npm install fluent
|
Right now anchors are rendered using
|
| function convertLinks(links) { | ||
| if (links) { | ||
| return Object.keys(links).reduce((acc, linkTag) => { | ||
| acc[linkTag] = <a href={links[linkTag].url} />; |
There was a problem hiding this comment.
Can you whitelist allowed protocols here, so at least javascript: isn't allowed?
There was a problem hiding this comment.
actually you can use safeURI here for that
webpack.prerender.config.js
Outdated
| @@ -24,6 +24,7 @@ module.exports = Object.assign({}, webpackConfig, { | |||
| "react-dom": "commonjs react-dom" | |||
| }, | |||
| plugins: [ | |||
| new webpack.BannerPlugin(banner) | |||
| new webpack.BannerPlugin(banner), | |||
| new webpack.DefinePlugin({document: {createElement: () => {}}}) | |||
There was a problem hiding this comment.
looool hax :P Can you add a comment about why this is needed?
| <LocalizationProvider messages={generateMessages(this.state.message.content.text)}> | ||
| <SimpleSnippet | ||
| {...this.state.message} | ||
| richText={<RichText text={this.state.message.content} />} |
There was a problem hiding this comment.
I would do text={this.state.message.content.text} links={this.state.message.content.links} or just {...this.state.message.content}, passing message.content as text is kind of confusing
| @@ -392,14 +392,14 @@ | |||
| "dev": true | |||
| }, | |||
| "asn1.js": { | |||
| "version": "4.9.2", | |||
There was a problem hiding this comment.
this seems like it might be a lot of changes for just adding a couple of dependencies, what version of npm are you using out of curiosity?
| @@ -53,6 +55,45 @@ function shouldSendImpressionOnUpdate(nextProps, prevProps) { | |||
| return (nextProps.message.id && (!prevProps.message || prevProps.message.id !== nextProps.message.id)); | |||
| } | |||
|
|
|||
| function* generateMessages(content) { | |||
There was a problem hiding this comment.
Any particular reason this is a generator and not an async function?
| return null; | ||
| } | ||
|
|
||
| function RichText(props) { |
There was a problem hiding this comment.
Can you add a small comment about what this is for
|
Documentation here https://github.com/mozilla/activity-stream/blob/7e544945fbe0cba46eba9387e4c593e98d8f9f55/content-src/asrouter/schemas/message-format.md |
|
Not sure what to do about the package-lock.json diff. |
There was a problem hiding this comment.
Great work! I tested with this https://gist.github.com/k88hudson/2d627d17ebd3e622e5b05e060d98b182 and it's working great, plus my XSS attack was blocked 😜
I've tried including fluent as external modules that resulted in some issues where the build step would complain about the syntax and fail. Alternatively using the
compat versionrequires theregenerator-runtimeand in order to build you would have to include this module before fluent, this would result in too many external modules.Similar problems occur when bundling fluent with AS:
compatwhich also implies a dependency onregenerator-runtimeBut it works if you get through all of that, although I haven't figured out how to render links yet.
The extra logic involved (LocalizationProvider) is only temporary until projectfluent/fluent.js#202 is fixed.