Content is not allowed inside an HtmlLiteral

[cafour]

Currently, DotVVM issues an error when I attempt to do this:

<dot:HtmlLiteral>
<script type="template">
  {{ columns }}
</script>
</dot:HtmlLiteral>

This is useful in cases when DotVVM is not used for string interpolation using the {{ value }} syntax, but some other client-side templating library is.

The error says "Content is not allowed inside the property 'HtmlLiteral.Html'! (Conflicting node: Node DothtmlElementNode)". This is despite the fact that HtmlLiteral has a [ControlMarkupOptions(DefaultContentProperty = nameof(Html))] attibute.

IMHO we should allow hard-coded HTML inside an HtmlLiteral and not just a binding.

EDIT: It has occured to me, that maybe I'm not explaining the sample clearly enough. I want for the {{ columns }} string to be passed to the browser without any processing (i.e. binding resolution).

WORKAROUND: A resource binding on the HtmlLiteral.Html property to a string const in C# land.

[exyi]

Will it work then? I think it will then issue another error that binding {{ columns }} could not be parser (or that bindings are not allowed in this context). We'd have to instruct the parser that dot:HtmlLiteral is somehow special.

1. If something else is processing the bindings, you probably have XSS in your page, so I don't want to explicitly support this use case.
2. If you are really sure that it's fine, or have some other use case for {{ than inlining javascript, then use CDATA for it.
3. Also... in <script type=template> it should be allowed anyway, script tag AFAIK has this special treatment.

[cafour]

@exyi

1. Why would I need to have XSS in my page? The page is simply templated by some library, that is not aware of DotVVM or its viewmodel in any way and merely uses the same syntax in its templates. I just need to pass a constant HTML literal without DotVVM processing in it any way.

2. I am not sure if I'm just not using CDATA right, or it's not that well supported. But for me the browser renders not only the contents of CDATA but also the surrounding <![CDATA[...]> tag. Therefore does not seem to be a fix.

3. What should be allowed in <script type=template? If I try to use it without any escapes, DotVVM simply tells me that requirements for that binding could not be met.

I've found a workaround: passing the string constant into the <dot:HtmlLiteral> through a resource binding. But this just seems like too much of a hassle just to escape some dumb {{.

[exyi]

Ok you are right, our CDATA parsing logic is broken, that should be definitely fixed. And the script tags don't get special handling, I didn't remember that correctly :/ I wonder how people manage to write inline scripts without using <...

[exyi]

1. Will it process {{ somewhere where you also use a value/resource binding? Does it use Javascript eval (or something similar) to process the templates? This is what Angular 1 or client-side Vue would do and it allows anyone to inject {{ script }}. I guess your library is fine, but you are not the first one to ask about it

[Mylan719]

The whole issue from my point of view is that {{ }} is standard for html templates of any kind. Someone can realistically combine DotVVM with another framework that uses {{ }} syntax for it's templates, especially when integrating with legacy systems.

There should be a way to 'disable' binding parsing, so the {{blablabla}} will not become DothtmlBindingNode but just part of attribute value/literal.

[exyi]

Not sure what we can reasonably do about this issue. I fixed the CDATA thing in #1444, so it should be reasonably possible to work around this issue.

Enabling content in HtmlLiteral is possible, but won't solve anything.

We should IMO also fix the script / style parsing, I have made a separate issue for it #1445