Skip to content

RFC: Drop isAttributeNameSafe() check #11667

New issue
New issue
Open
Open
RFC: Drop isAttributeNameSafe() check#11667
Labels
React Core TeamOpened by a member of the React Core TeamType: Breaking ChangeType: Enhancement
Milestone
 
19.0.0
@gaearon

Description

@gaearon
gaearon
opened on Nov 26, 2017

We currently validate DOM attributes on the client and ignore the ones with invalid names:

react/packages/react-dom/src/client/DOMPropertyOperations.js

Lines 202 to 204 in 0c164bb

if (!isAttributeNameSafe(name)) {
return;
}

This check used to be important for safety when we did innerHTML rendering on the client side, but it's not anymore. If we just let it call setAttribute, the browser would throw on a bad attribute name.

This check used to run very infrequently (only for data attributes and custom elements), but now more attributes follow this code path (since any "simple" attributes with the same names are effectively treated as unknown attributes). So even though we cache the result, it seems unfortunate to do the work that the browser is already doing for us.

While this would be a breaking change (so it has to go in 17), I think we should just remove this check, and let the browser throw. This does make spreading props blindly a bit more dangerous, but we have a warning so it should be visible.

Metadata

Metadata

Assignees

No one assigned

    Labels

    React Core TeamOpened by a member of the React Core TeamType: Breaking ChangeType: Enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions