Hi, and thanks for gomponents — the 1:1-with-HTML, minimal-by-design approach is exactly why I like it.
I'd like to gauge your appetite for a small addition before putting any work into a PR.
Context
gomponents HTML-escapes attribute values, which is great, but it doesn't inspect the scheme of a URL in Href. I assume that's intentional and consistent with the library's philosophy. The consequence is that a value from user or external input can still produce a dangerous link:
A(Href(userInput), Text("click"))
// userInput == "javascript:alert(1)" -> clickable XSS
Escaping doesn't help here, since it doesn't change the navigation target.
What I'm not proposing
No change to the default behavior of Href. This is only about an opt-in helper.
What I'd like your opinion on
Would you be open to an opt-in helper that users explicitly choose, leaving Href untouched — something narrow that neutralizes dangerous schemes (collapsing them to "#") and passes everything else through unchanged? For example a SafeURL(string) string sanitizer, and/or a SafeHref(...) attribute built on top of it.
I realize the core library is intentionally feature-complete, so I'm not assuming this belongs in html. If a core addition isn't a fit, would something under x/ (alongside x/slices) be more in line with how you'd want to handle this? And if you'd rather keep URL handling entirely in user code, that's a completely reasonable answer too — I'll just keep it in my own project. I only wanted to check before writing anything. Happy to send a PR with tests if there's interest.
Thanks!
Hi, and thanks for gomponents — the 1:1-with-HTML, minimal-by-design approach is exactly why I like it.
I'd like to gauge your appetite for a small addition before putting any work into a PR.
Context
gomponents HTML-escapes attribute values, which is great, but it doesn't inspect the scheme of a URL in
Href. I assume that's intentional and consistent with the library's philosophy. The consequence is that a value from user or external input can still produce a dangerous link:Escaping doesn't help here, since it doesn't change the navigation target.
What I'm not proposing
No change to the default behavior of
Href. This is only about an opt-in helper.What I'd like your opinion on
Would you be open to an opt-in helper that users explicitly choose, leaving
Hrefuntouched — something narrow that neutralizes dangerous schemes (collapsing them to"#") and passes everything else through unchanged? For example aSafeURL(string) stringsanitizer, and/or aSafeHref(...)attribute built on top of it.I realize the core library is intentionally feature-complete, so I'm not assuming this belongs in
html. If a core addition isn't a fit, would something underx/(alongsidex/slices) be more in line with how you'd want to handle this? And if you'd rather keep URL handling entirely in user code, that's a completely reasonable answer too — I'll just keep it in my own project. I only wanted to check before writing anything. Happy to send a PR with tests if there's interest.Thanks!