We've started to add some injection logic to published projects in Thimble. Our current way of doing this is to look for </head> and <body>: + finalized = sanitized.replace(/<body([^>]*)>/, "<body$1>" + remixThis) + .replace("</head", metaTagsRender + "</head"); This is nice because it means we don't have to create a full DOM server side, and can just do some string twiddling. However, we should consider the case that something gets published without a <head> and <body>. Should we enforce this on the client side and ask users to fix if they omit before publish will work?
Did some checking, it turns out that one nice thing about the full-document Bleaching that we do is that any fragment gets wrapped as an html page, so just <p>monkeys</p> automatically becomes <html><head></head><body><p>monkeys</p></body></html>, so injections still work. Remixing then uses the DB entry, so it still looks like just a fragment. This seems exactly what we want.
In that case let's close this. Thanks for checking on that.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.