Home Explore Help
Register Sign In
root
/
nicegui
mirror of https://github.com/zauberzeug/nicegui.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Tolerant gethtmlelement (#4672)

This PR fix #4633 side effect: Users may be inclined to pass
`element.html_id` to getHtmlElement, which doesn't work.

Implementation details: 

* We do NOT do the type-checking or try-except solution as mentioned
here
https://github.com/zauberzeug/nicegui/pull/4633#issuecomment-2834621081
* This is because, an explicit type-checking solution goes against duck
typing, and breaks existing user code if they are crazy enough to pass a
BigInt (think: `getHtmlElement(3n)`), or some other object which
`toString` to a string of integer fine, but is not in our whitelist
(think: `JSBI`, custom objects)
* try-except can be potentially dangerous, since it makes the
`getHtmlElement` susceptible to hijack.
* If an attacker injects an element with id `cc5`, it could be selected
on `getHtmlElement("c5")`*
* If an attacker injects an element with id `5`, it could be selected
`getHtmlElement(5)`*
* Rather, we maintain **maximum compatbility** by keeping the spirit of
`toString`, and changing the appending "c" to do it only if it doesn't
already have "c" in front.

*provided the element with id "c5" doesn't exist for any reason
Evan Chan 2 weeks ago
parent
d3c320dc64
commit
d9bf81f35a
1 changed files with 5 additions and 1 deletions
Split View Show Diff Stats
  1. 5 1
      nicegui/static/nicegui.js

+ 5 - 1
nicegui/static/nicegui.js
View File 

@@ -40,7 +40,11 @@ function getElement(id) {
 
 }
 
 
 function getHtmlElement(id) {
 
-  return document.getElementById(`c${id}`);
 
+  let id_as_a_string = id.toString();
 
+  if (!id_as_a_string.startsWith("c")) {
 
+    id_as_a_string = "c" + id_as_a_string;
 
+  }
 
+  return document.getElementById(id_as_a_string);
 
 }
 
 
 function runMethod(target, method_name, args) {