Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
@github/auto-complete-element
Advanced tools
Auto-complete input values from server search results.
$ npm install --save @github/auto-complete-element
Import as ES modules:
import '@github/auto-complete-element'
With a script tag:
<script type="module" src="./node_modules/@github/auto-complete-element/dist/bundle.js">
<auto-complete src="/users/search" for="users-popup">
<input type="text" name="users">
<!--
Optional clear button:
- id must match the id of the input or the name of the input plus "-clear"
- recommended to be *before* UL elements to avoid conflicting with their blur logic
Please see Note below on this button for more details
-->
<button id="users-clear">X</button>
<ul id="users-popup"></ul>
<!--
Optional div for screen reader feedback. Note the ID matches the ul, but with -feedback appended.
Recommended: Use a "Screen Reader Only" class to position the element off the visual boundary of the page.
-->
<div id="users-popup-feedback" class="sr-only"></div>
</auto-complete>
If you want to enable auto-select (pressing Enter in the input will select the first option), using the above example:
<auto-complete data-autoselect="true" src="/users/search" for="users-popup">
...
</auto-complete>
The server response should include the items that matched the search query.
<li role="option">Hubot</li>
<li role="option">Bender</li>
<li role="option">BB-8</li>
<li role="option" aria-disabled="true">R2-D2 (powered down)</li>
The data-autocomplete-value
attribute can be used to define the value for an
item whose display text needs to be different:
<li role="option" data-autocomplete-value="bb8">BB-8 (astromech)</li>
While input type="search"
comes with an x
that clears the content of the field and refocuses it on many browsers, the implementation for this control is not keyboard accessible, and so we've opted to enable a customizable clear button so that your keyboard users will be able to interact with it.
As an example:
In Chrome, this 'x' isn't a button but a div with a pseudo="-webkit-search-cancel-button". It doesn't have a tab index or a way to navigate to it without a mouse. Additionally, this control is only visible on mouse hover.
open
is true when the auto-complete result list is visiblevalue
is the selected value from the list or the empty string when clearedfetchResult
you can override the default method used to query for results by overriding this property: document.querySelector('auto-complete').fetchResult = async (el, url) => (await fetch(url)).text()
Request lifecycle events are dispatched on the <auto-complete>
element. These events do not bubble.
loadstart
- The server fetch has started.load
- The network request completed successfully.error
- The network request failed.loadend
- The network request has completed.Network events are useful for displaying progress states while the request is in-flight.
const completer = document.querySelector('auto-complete')
const container = completer.parentElement
completer.addEventListener('loadstart', () => container.classList.add('is-loading'))
completer.addEventListener('loadend', () => container.classList.remove('is-loading'))
completer.addEventListener('load', () => container.classList.add('is-success'))
completer.addEventListener('error', () => container.classList.add('is-error'))
auto-complete-change
is dispatched after a value is selected. In event.detail
you can find:
relatedTarget
: The HTMLInputElement controlling the auto-complete result list.completer.addEventListener('auto-complete-change', function(event) {
console.log('Auto-completed value chosen or cleared', completer.value)
console.log('Related input element', event.relatedTarget)
})
You can call
setCSPTrustedTypesPolicy(policy: TrustedTypePolicy | Promise<TrustedTypePolicy> | null)
from JavaScript to set a
CSP trusted types policy, which can perform
(synchronous) filtering or rejection of the fetch
response before it is
inserted into the page:
import AutoCompleteElement from 'auto-complete-element'
import DOMPurify from 'dompurify' // Using https://github.com/cure53/DOMPurify
// This policy removes all HTML markup except links.
const policy = trustedTypes.createPolicy('links-only', {
createHTML: (htmlText: string) => {
return DOMPurify.sanitize(htmlText, {
ALLOWED_TAGS: ['a'],
ALLOWED_ATTR: ['href'],
RETURN_TRUSTED_TYPE: true
})
}
})
AutoCompleteElement.setCSPTrustedTypesPolicy(policy)
The policy has access to the fetch
response object. Due to platform
constraints, only synchronous information from the response (in addition to the
HTML text body) can be used in the policy:
import AutoCompleteElement from 'auto-complete-element'
const policy = trustedTypes.createPolicy('require-server-header', {
createHTML: (htmlText: string, response: Response) => {
if (response.headers.get('X-Server-Sanitized') !== 'sanitized=true') {
// Note: this will reject the contents, but the error may be caught before it shows in the JS console.
throw new Error('Rejecting HTML that was not marked by the server as sanitized.')
}
return htmlText
}
})
AutoCompleteElement.setCSPTrustedTypesPolicy(policy)
Note that:
AutoCompleteElement
fetches.setCSPTrustedTypesPolicy()
ahead of any other load of
auto-complete
element in your code.
Promise<TrustedTypePolicy>
.null
to remove the policy.Browsers without native custom element support require a polyfill.
npm install
npm test
To view changes locally, run npm run examples
.
In examples/index.html
, uncomment <!--<script type="module" src="./dist/bundle.js"></script>-->
and comment out the script referencing the unpkg
version. This allows you to use the src
code in this repo. Otherwise, you will be pulling the latest published code, which will not reflect the local changes you are making.
We have included some custom rules that assist in providing guardrails to confirm this component is being used accessibly.
If you are using the axe-core
library in your project,
import axe from 'axe-core'
import autoCompleteRulesBuilder from '@github/auto-complete-element/validator'
const autoCompleteRules = autoCompleteRulesBuilder() // optionally, pass in your app's custom rules object, it will build and return the full object
axe.configure(autoCompleteRules)
axe.run(document)
To confirm your usage is working as designed,
import {validate} from '@github/auto-complete-element/validator'
validate(document)
Passes and failures may be determined by the length of the passes
and violations
arrays on the returned object:
{
passes: [],
violations: []
}
Distributed under the MIT license. See LICENSE for details.
FAQs
Auto-complete input values from server results
The npm package @github/auto-complete-element receives a total of 0 weekly downloads. As such, @github/auto-complete-element popularity was classified as not popular.
We found that @github/auto-complete-element demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 15 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.