[wp-trac] [WordPress Trac] #60229: HTML API: Introduce HTML Templating

WordPress Trac noreply at wordpress.org
Wed Mar 6 18:26:11 UTC 2024 

#60229: HTML API: Introduce HTML Templating
-------------------------------------------------+-------------------------
 Reporter:  dmsnell                              |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:
Component:  HTML API                             |     Version:  trunk
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch has-unit-tests needs-dev-  |     Focuses:
  note dev-feedback                              |
-------------------------------------------------+-------------------------

Comment (by dmsnell):

 > whether you've given any thought to using an existing (and mature)
 syntax/implementation rather than creating something custom?

 Thanks for asking @alexsanford1! Yes absolutely. This is in part the end
 of the work discussed regarding
 [https://github.com/WordPress/gutenberg/discussions/39831 dynamic server-
 side tokens], a project that ultimately began years ago looking to find
 placeholder syntax, which in part has guided the development of the HTML
 API itself.

 As briefly [https://make.wordpress.org/core/2023/08/19/progress-report-
 html-api/ discussed in the HTML API Progress Report] and in the linked-
 PR's description, the choice of this syntax ultimately fell down to
 finding a safe syntax embedded within HTML itself. It's actually //this
 very syntax// which relies on one of the most mature syntaxes and
 implementations in any system (HTML) and in so doing, avoids the category
 of issues created when adding new syntax into HTML.

 This is both //new// syntax and also //nothing new//. It's new inside
 attribute values because there's no escape hatch there, but it's not new
 in any other place. This means that unlike every known templating syntax
 I've seen (outside of JSX), it's not possible to break HTML boundaries
 with the placeholders. I draw a strong contrast to using something like
 `{{{ }}}` which is a level of parsing above or below HTML. A superset
 syntax raises questions about how to handle the template syntax when it
 clashes with the HTML. By embracing the HTML syntax WordPress would never
 have to answer that question, because a misplaced placeholder is going to
 be interpreted in some other way, perhaps as an HTML attribute name, but
 won't break the document.

 This syntax places additional constraints that I personally consider
 beneficial. They cannot be used to for the tag name, cannot be used to
 concatenate HTML elements, and most importantly, cannot be nested at all
 (because as HTML syntax, they terminate at the first `>` following their
 opening. Should the server fail to replace these, a browser will interpret
 them as HTML comments, and the biggest leak will be the contents of the
 placeholder, the page at large being interpreted as if they never existed
 rather than breaking the HTML structure.

 All of this is to say that I believe this is the end of the search for a
 mature existing syntax and not the prompt for one. These avoid the
 security issues inherent in almost every templating syntax I've ever seen,
 and provide a context-aware auto-escaping feature that means developers
 don't have to worry about escaping, because the system does. It it likely,
 as you call out, this will mean they don't bring all of the features
 available in other templating systems, or get them as fast. Concerning the
 HTML API though reliability and trust are more important than speed and
 features.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/60229#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list