Title: Fix bq-on method reference context loss and remove style attribute from security defaults by Copilot · Pull Request #33 · bQuery/bQuery · GitHub
Open Graph Title: Fix bq-on method reference context loss and remove style attribute from security defaults by Copilot · Pull Request #33 · bQuery/bQuery
X Title: Fix bq-on method reference context loss and remove style attribute from security defaults by Copilot · Pull Request #33 · bQuery/bQuery
Description: Addresses two security and API clarity issues from PR #16 code review.
Changes
src/view/directives/on.ts: Document that auto-invoked method references lose their receiver context
Method references like handlers.onClick or this.onClick are evaluated as unbound functions
Calling unbound methods results in this being undefined
Use explicit call syntax to preserve binding: bq-on:click="handlers.onClick($event)"
src/security/constants.ts: Remove style from DEFAULT_ALLOWED_ATTRIBUTES
Inline CSS enables UI redressing, data exfiltration via url(), and CSS injection vectors
No CSS value sanitization exists, making default inclusion unsafe
Users requiring inline styles can explicitly add to allowAttributes option
Example
// style attribute now blocked by default
sanitizeHtml(' Open Graph Description: Addresses two security and API clarity issues from PR #16 code review.
Changes
src/view/directives/on.ts: Document that auto-invoked method references lose their receiver context
Method referenc...
X Description: Addresses two security and API clarity issues from PR #16 code review.
Changes
src/view/directives/on.ts: Document that auto-invoked method references lose their receiver context
Method referenc...
Opengraph URL: https://github.com/bQuery/bQuery/pull/33
X: @github
Domain: github.com
Links:
Viewport: width=device-width
route-pattern /:user_id/:repository/pull/:id/files(.:format) route-controller pull_requests route-action files fetch-nonce v2:513a0ec7-9e4a-e967-50eb-d94325edba92 current-catalog-service-hash ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b request-id A658:308E6B:8DDB34:C82B01:6A4E7E85 html-safe-nonce f88203a52e2969f6457e41569316781523b1194fc19362c28c01db4a90e87314 visitor-payload eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJBNjU4OjMwOEU2Qjo4RERCMzQ6QzgyQjAxOjZBNEU3RTg1IiwidmlzaXRvcl9pZCI6IjY0MzgwMjkwMTA2NjQzMjQ3NDEiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== visitor-hmac ecd6c547d5781a971944d4f06db91fff87cb4820a2a58dc318d7204f446361ee hovercard-subject-tag pull_request:3216526390 github-keyboard-shortcuts repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot google-site-verification Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I octolytics-url https://collector.github.com/github/collect analytics-location / fb:app_id 1401488693436528 apple-itunes-app app-id=1477376905, app-argument=https://github.com/bQuery/bQuery/pull/33/files twitter:image https://avatars.githubusercontent.com/in/1143301?s=400&v=4 twitter:card summary_large_image og:image https://avatars.githubusercontent.com/in/1143301?s=400&v=4 og:image:alt Addresses two security and API clarity issues from PR #16 code review.
Changes
src/view/directives/on.ts: Document that auto-invoked method references lose their receiver context
Method referenc... og:site_name GitHub og:type object hostname github.com expected-hostname github.com None 41b6ab3ba6d20a71766ac245b5a4a94c6fc672a9cd4da7d44c1b33ab8bf6a21c turbo-cache-control no-preview diff-view unified go-import github.com/bQuery/bQuery git https://github.com/bQuery/bQuery.git octolytics-dimension-user_id 256381806 octolytics-dimension-user_login bQuery octolytics-dimension-repository_id 1139284244 octolytics-dimension-repository_nwo bQuery/bQuery octolytics-dimension-repository_public true octolytics-dimension-repository_is_fork false octolytics-dimension-repository_network_root_id 1139284244 octolytics-dimension-repository_network_root_nwo bQuery/bQuery turbo-body-classes logged-out env-production page-responsive full-width disable-turbo true browser-stats-url https://api.github.com/_private/browser/stats browser-errors-url https://api.github.com/_private/browser/errors release e6a744804e8e70f97b4d5a18a94dcc63db22f97a ui-target canary-2 theme-color #1e2327 color-scheme light dark
URLs of crawlers that visited me.