fix(templating): replace Hogan.js with ES6 literals #773
Conversation
Hogan.js uses Function objects, which violates CSP policies which do not add the `unsafe-eval` directive. Given the relatively minor use in the codebase, replace with ES6 literals and remove the dependency - Replace Hogan with direct interpolation of data into string template - Rework/remove tests that make reference to Hogan.js, since not used - Remove Hogan.js from dependencies See algolia/instantsearch#2868 for further information
|
This is very interesting, thanks! I'm not a maintainer of docsearch, but don't we expose the templates to the users? If so this would be a breaking change |
|
Bundlesize impact: pre: 46.6 kB gz |
I'm not so sure, judging from the package exports and the official documentation. The only thing that seems to be exposed is the |
LoneRifle
changed the title
|
One thing however that was just pointed out to me by @francoischalifour is that hogan deals with XSS, while now the html isn't sanitised anymore, we need to filter out & becomes &
not sure if there's attributes with user input that needs to be escaped, but " becomes " source I checked to be sure: https://stackoverflow.com/a/7382028/3185307 |
|
We've done a complete rewrite for DocSearch.js v3 that gets rid of Hogan.js. This POC looks promising and we might move forward with it in the coming months. For this reason and the fact that Hogan.js does more work than basic strings (e.g. escaping – which I assume is the reason we went for Hogan.js in the first place), I don't think we're going to move forward with this PR. This is a change that is not radical enough to be included in the next minor version given the risks it generates. Thank you for the proposition, it's very appreciated! Feel free to open an issue first next time so that we discuss what changes might make it to a release. |
Tim and I just spent some time pairing on the best way to get algolia backported from bk/bk to this app. We explored leaving CSP enforced, but that requires allowing `unsafe_eval` in production and that's not ideal. It turns out CSP on bk/bk is in report-only mode as well, and docsearch is violating it (with a report) each time someone searches. So for now, we've configured this appto behave the same way. We'd love to start enforcing CSP on the docs app, but there's been little movement on docsearch adapting to be more CSP friendly (see algolia/docsearch#773). Algolia have an alternative JS library that is CSP friendly and we'd love to use it. Maybe that's our best path to enforcing CSP? https://www.algolia.com/doc/guides/building-search-ui/what-is-instantsearch/js/
477: Remove hogan lib to remove unsafe eval error r=bidoubiwa a=bidoubiwa See algolia/docsearch#773 Co-authored-by: Charlotte Vermandel <charlottevermandel@gmail.com> Co-authored-by: bors[bot] <26634292+bors[bot]@users.noreply.github.com> Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com>
3 participants
Summary
Hogan.js uses Function objects, which violates CSP policies which do not
add the
unsafe-evaldirective. Given the relatively minor use in thecodebase, replace with ES6 literals and remove the dependency
See algolia/instantsearch#2868 for further information
Inspect bcc440a for the actual changes - de-linting/prettier was run on affected files before changes committed
Result
Tested on local machine. Note the lack of references to Hogan