These are chat archives for canjs/canjs

8th
Oct 2018
Ivo Pinheiro
@ivospinheiro
Oct 08 2018 16:56
Hi @justinbmeyer!
Just a reminder. Have you had the opportunity to a give a look to the sample code?
Justin Meyer
@justinbmeyer
Oct 08 2018 17:50
@ivospinheiro are those the 5.0 versions of can-connect?
idProp: "id", isn't supported
you use {identity} in 5.0
b
rest model works
but not realtime rest model
Justin Meyer
@justinbmeyer
Oct 08 2018 17:56
if you create an issue, I should be able to get to it today
Eben
@eben-roux
Oct 08 2018 18:22
did something odd happen to stache.safeString?
it used to have a toString() method and now it returns a {Symbol(can.toDOM): ƒ}
Justin Meyer
@justinbmeyer
Oct 08 2018 18:23
Eben
@eben-roux
Oct 08 2018 18:23
and renders as "[object Object]"
Justin Meyer
@justinbmeyer
Oct 08 2018 18:23
it should still work
with {{somethingSafeStringed}}
but yeah, it doesn't have the toString() because it lead to that XSS attack vector
do you have an example of it not working as it used to?
Eben
@eben-roux
Oct 08 2018 18:24
I do, actually :)
I had this:
image.png
and rendered like so:
image.png
but comes out as [object Object]
here is my sample repo
it should still be on the "old", working, version
Eben
@eben-roux
Oct 08 2018 18:27
if you do the npm update the latest will not work... the "table" sample will output an alert when you press a button
Justin Meyer
@justinbmeyer
Oct 08 2018 18:27
yeah, that JSBin shows it
weird that all the safeString tests still passed
Eben
@eben-roux
Oct 08 2018 18:27
yeah... even easier - lol
Justin Meyer
@justinbmeyer
Oct 08 2018 18:27
can you create an issue and I'll get on it?
Eben
@eben-roux
Oct 08 2018 18:27
sure
Justin Meyer
@justinbmeyer
Oct 08 2018 18:28
oh
weirdly
making the type: "any" fixes it
updated with the fix
is message being converted to an observable?
I think the symbol is being lost on that
which explains why stache's tests were working
b/c it tests safeString with normal objects
Eben
@eben-roux
Oct 08 2018 18:30
the object I returned wasn't from a DefineMap (plain JS object) so whatever the default canjs behaviour would be would be it I guess
Justin Meyer
@justinbmeyer
Oct 08 2018 18:30
DefineMap will take objects and convert them to DefineMap
Eben
@eben-roux
Oct 08 2018 18:30
what would be the default type used then for the attributes?
Justin Meyer
@justinbmeyer
Oct 08 2018 18:31
the default type is "observe"
Eben
@eben-roux
Oct 08 2018 18:31
ah
Justin Meyer
@justinbmeyer
Oct 08 2018 18:31
"observable"
Eben
@eben-roux
Oct 08 2018 18:31
so I guess, to answer your question, they are being changed to observables...
:)
Justin Meyer
@justinbmeyer
Oct 08 2018 18:31
hmm
ok
well using "any" on your VM will probably fix it for now, but please create an issue and I'll try to make something that won't have this problem
Eben
@eben-roux
Oct 08 2018 18:32
lol, I really don't know though but from what you're saying I guess it would
I'll create the issue and then use a proper DefineMap for the object to get around this
Justin Meyer
@justinbmeyer
Oct 08 2018 18:33
you can define types inline btw
Eben
@eben-roux
Oct 08 2018 18:33
it probably would make sense for the safeString to work with a string...
Justin Meyer
@justinbmeyer
Oct 08 2018 18:33
well, it works with a string
Eben
@eben-roux
Oct 08 2018 18:33
interesting, do you have a link to the docs on hand
Eben
@eben-roux
Oct 08 2018 18:34
I changed the type in your codepen to string and the [object object] re-appeared
Justin Meyer
@justinbmeyer
Oct 08 2018 18:34
  address: {
    Type: {
      street: "string",
      city: "string"
    }
  }
well, it returns an object
safeString() returns an object
it can't return a string
there wouldn't be a good way of identifying it otherwise
as strings are immutable in JS
Eben
@eben-roux
Oct 08 2018 18:35
that inline type is pretty nifty... probably does make sense to create a DefineMap if you're going to be doing that though
what I mean is that when you used any it rendered correctly, but when I use string it doesn't... oh... I hear what you;re saying
Justin Meyer
@justinbmeyer
Oct 08 2018 18:36

basically, safeString() returns an object,

Prior to that fix, it returned object with a toString() method (which other things could "accidentally" opt into, which could be a site for XSS)

Eben
@eben-roux
Oct 08 2018 18:36
it is returning an object which is why it should be any
Justin Meyer
@justinbmeyer
Oct 08 2018 18:36
Now it returns an object with that symbol instead, which really means someone is EXPLICITLY saying "this is safe"
accidents are far less likely now
Eben
@eben-roux
Oct 08 2018 18:39
haven't looked into the reflect stuff yet so not too clued up with what you folks are doing with that
Justin Meyer
@justinbmeyer
Oct 08 2018 18:39
sorry this change caught you, we knew it could break apps, but felt that letting people discover they had a potential XSS attack was more important. Unfortunately, you were doing the right thing. I'm thinking the fix for your problem is that safeString() should probably also just add normal properties
Eben
@eben-roux
Oct 08 2018 18:39
will hopefully get around to it at some point
Justin Meyer
@justinbmeyer
Oct 08 2018 18:39
reflect is mostly just our min lodash, but allows types to say what they support via symbols
so an object can be understood as observable by implementing a can.onKeyValue or can.onValue symbol
this way, most of CanJS can be ignorant of the type
Eben
@eben-roux
Oct 08 2018 18:40
what do you mean by "normal" properties?
Justin Meyer
@justinbmeyer
Oct 08 2018 18:40
{foo: "bar"}
foo is a normal property
var fooSymbol = Symbol.for("foo");
{ [fooSymbol]: "bar" }
Eben
@eben-roux
Oct 08 2018 18:41
so what normal properties would safeString()add?
is that for some form of indirection?
Justin Meyer
@justinbmeyer
Oct 08 2018 18:42
probably a "can.toDOM" property to match the symbol
Eben
@eben-roux
Oct 08 2018 18:42
sorry don't want to bog you down on these things now... I could actually look at the docs :)
that goes over symbols and can-reflect
alternative solution ... DefineMap would copy symbols over too
but that seems a bit much
and those symbols would not be observable
basically, we need some way of identifying these strings as "safe"
another way might be to use a WeakMap
but that makes stache more stateful
Eben
@eben-roux
Oct 08 2018 18:46
ah, ok... seems like an adapter of sorts if I get the gist of it
but I'll dig deeper when I have a bit more time
thanks for the help in the meantime... let me log the issue
Justin Meyer
@justinbmeyer
Oct 08 2018 18:48
I think of it as an interface ... and symbols are nice ways of providing interfaces that don't collide
Eben
@eben-roux
Oct 08 2018 18:49
yip, my main language is C# and I remember when I saw the various conditions to determine how to retrieve the value I did think that it would be simpler having something more generic
one would indeed define an interface that would return the value given the source type
there would be an implementation for each type that you could convert from
so you'd "plug-in" another one if a new value provider came along
that is one thing that is nifty with untyped/dynamic languages such as JS... you can simple implement this stuff on the "fly"... we'll assume it's there and if it isn't we'll throw an exception
anyway
Justin Meyer
@justinbmeyer
Oct 08 2018 18:54
👍
Justin Meyer
@justinbmeyer
Oct 08 2018 19:44

@/all I made a video on the goals of the CanJS, StealJS, DoneJS open source efforts and how those efforts are managed. https://www.bitovi.com/blog/open-source-theory

Video: https://youtu.be/_8Sz74FsQ7M

Ivo Pinheiro
@ivospinheiro
Oct 08 2018 20:13
@justinbmeyer I've open the issue canjs/can-connect#441
Justin Meyer
@justinbmeyer
Oct 08 2018 20:14
taking a look now
Ivo Pinheiro
@ivospinheiro
Oct 08 2018 20:14
Ok, thanks
I'm still working on upgrading to canjs 4.0 but using the can dependencies that matches release 4.3.0 where this issue does not occur
Justin Meyer
@justinbmeyer
Oct 08 2018 20:17

just to make sure I'm understanding this right:

This issue does NOT appear when upgrading to the 4.3.0 dependencies?

Ivo Pinheiro
@ivospinheiro
Oct 08 2018 20:19
Exactly
Using can-define 2.5.12 this issue does not occur
If I update the project to use the can-define@2.6.0 it stops working as expected
Justin Meyer
@justinbmeyer
Oct 08 2018 20:27
oh, how odd
trying to figure this out is quite odd so far
Ivo Pinheiro
@ivospinheiro
Oct 08 2018 20:28
Just another update if I remove the call serialize method on _serialize method it works as expected
Justin Meyer
@justinbmeyer
Oct 08 2018 20:30
t2._data === t3._data
is the problem
yeah, ok, so this is probably caused by when the prototype was made observable
Ivo Pinheiro
@ivospinheiro
Oct 08 2018 20:35
Ok, is it a problem related with the implementation or with can-define?
Justin Meyer
@justinbmeyer
Oct 08 2018 20:46
problem with can-define I think
Justin Meyer
@justinbmeyer
Oct 08 2018 21:04
@ivospinheiro here's the breakdown of the behavior: https://github.com/canjs/can-connect/issues/441#issuecomment-427978498
Ivo Pinheiro
@ivospinheiro
Oct 08 2018 21:58
Thanks @justinbmeyer for the detailed analysis
I will wait for the correction. Meanwhile I will work with can-define previous release.