Deal with attempts to publish Thimble pages without a <head> or <body>

RESOLVED INVALID

Status

RESOLVED INVALID
6 years ago
6 years ago

People

(Reporter: humph, Unassigned)

Tracking

Details

(Reporter)

Description

6 years ago
We've started to add some injection logic to published projects in Thimble.  Our current way of doing this is to look for </head> and <body>:

+        finalized = sanitized.replace(/<body([^>]*)>/, "<body$1>" + remixThis)
+                             .replace("</head", metaTagsRender + "</head");

This is nice because it means we don't have to create a full DOM server side, and can just do some string twiddling.  However, we should consider the case that something gets published without a <head> and <body>.

Should we enforce this on the client side and ask users to fix if they omit before publish will work?
(Reporter)

Updated

6 years ago
Depends on: 865709

Comment 1

6 years ago
Did some checking, it turns out that one nice thing about the full-document Bleaching that we do is that any fragment gets wrapped as an html page, so just <p>monkeys</p> automatically becomes <html><head></head><body><p>monkeys</p></body></html>, so injections still work. Remixing then uses the DB entry, so it still looks like just a fragment.

This seems exactly what we want.
(Reporter)

Comment 2

6 years ago
In that case let's close this.  Thanks for checking on that.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.