Skip to content

feat: support string types and functions for URL attributes - no longer require templ.SafeURL - fixes #1167#1171

Merged
a-h merged 11 commits intoa-h:mainfrom
jackielii:safeurl-with-error
Jun 6, 2025
Merged

feat: support string types and functions for URL attributes - no longer require templ.SafeURL - fixes #1167#1171
a-h merged 11 commits intoa-h:mainfrom
jackielii:safeurl-with-error

Conversation

@jackielii
Copy link
Copy Markdown
Contributor

@jackielii jackielii commented Jun 1, 2025

fixes #1167

Thi PR changes form action and anchor href to use SafeURL with error

@jackielii jackielii force-pushed the safeurl-with-error branch 2 times, most recently from 5ff3b12 to 49392bf Compare June 1, 2025 11:18
@jackielii
Copy link
Copy Markdown
Contributor Author

jackielii commented Jun 1, 2025

@a-h @joerdav For templ code

	<form action={ safeUrl() }>With Error</form>

The generated code looks like this:

templ/generator/test-form-action/template_templ.go

Lines 63 to 67 in 49392bf

var templ_7745c5c3_Var4 string
templ_7745c5c3_Var4, templ_7745c5c3_Err = templ.JoinStringErrs[templ.SafeURL](safeUrl())
if templ_7745c5c3_Err != nil {
return templ.Error{Err: templ_7745c5c3_Err, FileName: `generator/test-form-action/template.templ`, Line: 7, Col: 25}
}

Can I propose to remove the [templ.SafeURL] restriction? So that the generated code may look like:

 var templ_7745c5c3_Var4 string 
 templ_7745c5c3_Var4, templ_7745c5c3_Err = templ.JoinStringErrs(safeUrl()) 
 if templ_7745c5c3_Err != nil { 
 	return templ.Error{Err: templ_7745c5c3_Err, FileName: `generator/test-form-action/template.templ`, Line: 7, Col: 25} 
 }

This will allow both string and templ.SafeURL to work. I.e. it would accept both of these functions:

templ/generator/test-form-action/template.templ

Lines 11 to 17 in 49392bf

func safeUrl() (templ.SafeURL, error) {
return templ.URL("/valid"), nil
}
func stringUrl() (string, error) {
return "/valid", nil
}

@jackielii jackielii force-pushed the safeurl-with-error branch from 49392bf to 1b45c44 Compare June 4, 2025 16:25
@jackielii jackielii force-pushed the safeurl-with-error branch from aa4a1a4 to b2113fb Compare June 5, 2025 08:00
@a-h a-h requested review from Copilot and joerdav June 6, 2025 07:56
Copilot AI reviewed Jun 6, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds error-aware URL sanitation by introducing JoinURLErrs and updating generated templates to propagate URL errors.

  • Define JoinURLErrs in url.go to sanitize or bypass based on input type and combine errors.
  • Update EscapeString to a generic signature accepting any string-like type.
  • Regenerate template and generator code across tests, examples, and benchmarks to call JoinURLErrs, insert error handlers, and adjust expected outputs.

Reviewed Changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
url.go Introduce JoinURLErrs for sanitizing URLs and bundling errors.
url_test.go Add unit tests for JoinURLErrs covering sanitization and error joins.
runtime.go Change EscapeString to generic form (T ~string).
generator/generator.go Update code generator to emit JoinURLErrs calls and error checks.
generator/test-html/template_templ.go Regenerated HTML template to use JoinURLErrs and handle errors.
generator/test-form-action/template_templ.go Regenerated form-action template with error-handling around URLs.
generator/test-form-action/template.templ Add safeUrl/stringUrl helpers in template to test error variants.
generator/test-form-action/expected.html Adjust expected output for form-action tests with error cases.
generator/test-attribute-escaping/template_templ.go Regenerated attribute-escaping test template for JoinURLErrs.
generator/test-a-href/template_templ.go Regenerated anchor-href test template to use JoinURLErrs.
examples/static-generator/blog_templ.go Update example generator to propagate URL errors in blog links.
cmd/templ/lspcmd/httpdebug/list_templ.go Update HTTP-debug template to join URL errors in link generation.
benchmarks/templ/template_templ.go Update benchmark template to use JoinURLErrs with error checks.
Comments suppressed due to low confidence (2)

url.go:25

  • [nitpick] Consider enhancing this doc comment to mention that SafeURL inputs bypass sanitization and that incoming errors are combined using errors.Join.
// JoinURLErrs joins an optional list of errors and returns a sanitized SafeURL.

generator/test-form-action/template.templ:11

  • [nitpick] Function name 'safeUrl' should use the 'URL' acronym in uppercase (e.g., 'safeURL') to align with Go naming conventions.
func safeUrl(s string) (templ.SafeURL, error) {

a-h and others added 2 commits June 6, 2025 09:26
@a-h
chore: fix incorrect comment
18485f5 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@a-h
refactor: compare errors instead of string
e0b16cf 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@joerdav
Copy link
Copy Markdown
Collaborator

joerdav commented Jun 6, 2025

Looks good to me, makes the behaviour consistent with other attributes, I like it.

Just has a failing test is all.

@a-h a-h changed the title SafeURL with error feat: support string types and functions for URL attributes - no longer require templ.SafeURL - fixes #1167 Jun 6, 2025
@a-h a-h merged commit 7df55ec into a-h:main Jun 6, 2025
4 checks passed
jackielii
jackielii commented Jun 6, 2025
View reviewed changes
docs/docs/03-syntax-and-usage/03-attributes.md
```templ
templ component(contact model.Contact) {
<div hx-get={ string(templ.URL(fmt.Sprintf("/contacts/%s/email", contact.ID)))}>
<div hx-get={ templ.URL(fmt.Sprintf("/contacts/%s/email", contact.ID)) }>
Copy link
Copy Markdown
Contributor Author

@jackielii jackielii Jun 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the description above, this should just be fmt.Sprintf("/contacts/%s/email", contact.ID), URL sanitising is automatic

Copy link
Copy Markdown
Owner

@a-h a-h Jun 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not automatic for hx-get because it's a non-standard attribute.

templ could have a list of "well known" attribute names that contain URLs, but since data-* URLs can contain them, it wouldn't be much use.

So, I think this documentation is accurate.

Copy link
Copy Markdown
Contributor Author

@jackielii jackielii Jun 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh yeah, you're right!

templ could have a list of "well known"

I'm ok with current behaviour. Having the "well known" creates possibilities of conflict. And will always not be enough as different people will want to have their favourite framework supported.

@yashuatla yashuatla mentioned this pull request Jun 25, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@a-h a-h a-h left review comments

Copilot code review Copilot Copilot left review comments

@joerdav joerdav Awaiting requested review from joerdav

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

form action, anchor href should allow (SafeURL, error)

4 participants

@jackielii @joerdav @a-h