Correctly handle HTML entities inside <py-script> source code

[antocuni]

Follow up of this conversation: #684 (comment)

This is best explained by a simple example:

<script type="text/javascript">
console.log("js: a &amp; b");
</script>
<py-script>
import js
js.console.log("py: a &amp; b");
</py-script>

This produces the following:

js: a & b
py: a & b

This is even worse if we use " or ', because currently they are interpreted as quotes and thus they can easily trigger Python syntax errors; e.g. the following trigger a SyntaxError:

<py-script>
import js
js.console.log("py: a &quot; b");
</py-script>

By reading the code, it seems that the interpretation of HTML entities happens here:

pyscript/pyscriptjs/src/utils.ts

Lines 17 to 24 in 6cb81b5

	function escape(str: string): string {
	return str.replace(/</g, "&lt;").replace(/>/g, "&gt;")
	}
	function htmlDecode(input: string): string {
	const doc = new DOMParser().parseFromString(ltrim(escape(input)), 'text/html');
	return doc.documentElement.textContent;
	}

I don't really understand what's going on: inside htmlDecode input seems to be the raw string of text that we want; then we put it inside DOMParser(), only to extract the text back.
PR #684 mitigates the issue by escaping angle brackets, but why do we need to call DOMParser in the first place?

/cc @philippjfr who worked on this recently and @fpliger who might remember what was the original idea

[fpliger]

I think this is part of the bigger redesign work we need to do in #622, so putting it as a subtask there...

To your question. @antocuni I think this was due to behavior when you want the output to be inserted back in the DOM and things for mixed up. Definitely needs to be rethought, and either put behind an option flag or removed.

[philippjfr]

I think this was due to behavior when you want the output to be inserted back in the DOM and things for mixed up. Definitely needs to be rethought, and either put behind an option flag or removed.

I don't think that's the reason. I might be wrong but without the DOMParser approach we couldn't handle any of the special characters >, < and &, e.g. see #481

[philippjfr]

Ah I see what you're getting at now @fpliger, yes that sounds right.

[antocuni]

To your question. @antocuni I think this was due to behavior when you want the output to be inserted back in the DOM and things for mixed up.

I still don't understand.
According to grep, htmlDecode is used to decode the source code inside <py-script>, <py-button> and it's never used for the output.

[antocuni]

Moreover, it seems that htmlDecode is called twice, unless I'm mistaken.
First, it is called when we set this.code:

pyscript/pyscriptjs/src/components/pyscript.ts

Lines 33 to 37 in 6cb81b5

	connectedCallback() {
	this.checkId();
	this.code = htmlDecode(this.innerHTML);
	this.innerHTML = '';

Later, it is called inside getSourceElement():

pyscript/pyscriptjs/src/components/pyscript.ts

Lines 111 to 114 in 6cb81b5

	getSourceFromElement(): string {
	return htmlDecode(this.code);
	}

If I apply this patch:

diff --git a/pyscriptjs/src/components/pyscript.ts b/pyscriptjs/src/components/pyscript.ts
index 19ac005..4aa19d7 100644
--- a/pyscriptjs/src/components/pyscript.ts
+++ b/pyscriptjs/src/components/pyscript.ts
@@ -32,7 +32,8 @@ export class PyScript extends BaseEvalElement {
 
     connectedCallback() {
         this.checkId();
-        this.code = htmlDecode(this.innerHTML);
+        //this.code = htmlDecode(this.innerHTML);
+        this.code = this.innerHTML;
         this.innerHTML = '';
 
         const mainDiv = document.createElement('div');
@@ -110,7 +111,8 @@ export class PyScript extends BaseEvalElement {
     }
 
     getSourceFromElement(): string {
-        return htmlDecode(this.code);
+        //return htmlDecode(this.code);
+        return this.code;
     }
 }

I confirm that <py-script>console.info("a &amp; b") </py-script> correctly prints a & b.

Moreover, <py-repl>console.info("a &amp; b") </py-repl> has a similar problem, which seems to be not fixed by the patch above

[fpliger]

It does look like it's being called twice (and it's a bug). Still, it's something that will be taken care as part of the bigger redesign work in #622

[antocuni]

It does look like it's being called twice (and it's a bug). Still, it's something that will be taken care as part of the bigger redesign work in #622

if you say so 😅.
I still think this is a problem of reading the py-script source code and thus it's orthogonal to how we handle the output produced by executing the scripts, but I suppose we can just wait and see whether #622 will fix the problem :)

[marimeireles]

I talked to @antocuni about it and agree with redesigning it as part of #622 efforts.

[antocuni]

I talked to @antocuni about it and agree with redesigning it as part of #622 efforts.

@marimeireles make sure to add the relevant tests ;)

[marimeireles]

I think this is related...
#518
We should at least investigate if this is still reproducible or what's up =)