Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: input name overriding form method and action checks #8471

Merged
merged 7 commits into from
Jan 13, 2023
Merged

fix: input name overriding form method and action checks #8471

merged 7 commits into from
Jan 13, 2023

Conversation

eltigerchino
Copy link
Member

fixes #8467

Replaces form.method with form.getAttribute('method') to avoid collisions with <input name="method"> in the same form.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

@changeset-bot
Copy link

changeset-bot bot commented Jan 11, 2023
edited
Loading

🦋 Changeset detected

Latest commit: b665068

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Conduitry
Conduitry requested changes Jan 11, 2023
View reviewed changes
Copy link
Member

@Conduitry Conduitry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

form.getAttribute('method') will not normalize the method name like form.method will. If someone has method="POST", the code here will not catch that. I don't know whether that would just be a matter of lowercasing the attribute, or stripping whitespace, or what.

Separately, this would (I think) also be susceptible to the extremely contrived situation of an input element name getAttribute. Similar to #7599, we should probably be using HTMLFormData.prototype here.

@eltigerchino
Copy link
Member Author

eltigerchino commented Jan 11, 2023
edited
Loading

form.getAttribute('method') will not normalize the method name like form.method will. If someone has method="POST", the code here will not catch that. I don't know whether that would just be a matter of lowercasing the attribute, or stripping whitespace, or what.

Good catch. Just found that out myself while trying to get the tests to pass.

Separately, this would (I think) also be susceptible to the extremely contrived situation of an input element name getAttribute. Similar to #7599, we should probably be using HTMLFormData.prototype here.

I've tested and it does seem to correctly ignore input elements named "method". But I'll change it anyways for consistency

EDIT: nevermind. HTMLFormElement.prototype.method can't be called

@eltigerchino
Copy link
Member Author

eltigerchino commented Jan 11, 2023
edited
Loading

form.getAttribute('method') will not normalize the method name like form.method will. If someone has method="POST", the code here will not catch that. I don't know whether that would just be a matter of lowercasing the attribute, or stripping whitespace, or what.

Hopefully fixed this issue. Any invalid method attribute value such as method="post " or method="abc", etc. will default to get (similar to the value returned by form.method).

EDIT: Whoops. I understand how action was returned consistently using HTMLFormElement.prototype now. Removed the unnecessary helper method.

Added the same fix for an outstanding form.action check as well.

@eltigerchino eltigerchino changed the title change form.method to form.getAttribute fix input name overriding form method and action checks Jan 11, 2023
@dummdidumm dummdidumm changed the title fix input name overriding form method and action checks fix: input name overriding form method and action checks Jan 12, 2023
@eltigerchino eltigerchino requested review from dummdidumm and removed request for Conduitry January 12, 2023 19:13
dummdidumm
dummdidumm approved these changes Jan 13, 2023
View reviewed changes
Copy link
Member

@dummdidumm dummdidumm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@Rich-Harris Rich-Harris merged commit 37ed70b into sveltejs:master Jan 13, 2023
@github-actions github-actions bot mentioned this pull request Jan 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Conduitry Conduitry Conduitry requested changes

@Rich-Harris Rich-Harris Rich-Harris approved these changes

@dummdidumm dummdidumm dummdidumm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

use:enhance breaks HMR and routing in dev with <input name="method" />
4 participants
@eltigerchino @Rich-Harris @dummdidumm @Conduitry