top | item 18406173

(no title)

orizens | 7 years ago

1. '@click' is replaced with a valid 'data-af-click' attribubte.

2. click was a poc - all events are added.

3. 'clean' is using "node.remove" ad removes any references to functions - so - no detached references are left then.

4. correct - not taken into consideration at the moment.

5. agree.

6. innerHTML is a valid assignment - the browser validates it.

7. to be discussed

discuss

whyonearth|7 years ago

I think you're being somewhat defensive of what appears to be a prototype, just offering the feedback you requested.

1. What I mean is that <span>@code</span> becomes <span>data-af-click</span>.

2. Where? Not seeing them.

3. You're mistaken about event handler cleanup: https://dom.spec.whatwg.org/#dom-childnode-remove

6. My point here is that relying on strings is brittle. HTML builders, declarative APIs like JSX/React.createElement, and template-based approaches (where the template is a DOM node) are more robust.

BrandoElFollito|7 years ago

This is probably obvious, but just in case : for point 4 this is DOM-based XSS protection that is missing.