Security News
Input Validation Vulnerabilities Dominate MITRE's 2024 CWE Top 25 List
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
A simple library for composable DOM elements using tagged template strings.
If you're looking for a higher level front end framework, try yo-yo. Or even higher than that, try choo.
For a more in depth tutorial on getting started, please check out the wiki.
Create an element:
// list.js
var bel = require('bel')
module.exports = function (items) {
return bel`<ul>
${items.map(function (item) {
return bel`<li>${item}</li>`
})}
</ul>`
}
Then pass data to it and add to the DOM:
// app.js
var createList = require('./list.js')
var list = createList([
'grizzly',
'polar',
'brown'
])
document.body.appendChild(list)
// list.js
var bel = require('bel')
// The DOM is built by the data passed in
module.exports = function (items, onselected) {
function render () {
return bel`<ul>
${items.map(function (item) {
return bel`<li>${button(item.id, item.label)}</li>`
})}
</ul>`
}
function button (id, label) {
return bel`<button onclick=${function () {
// Then action gets sent up
onselected(id)
}}>${label}</button>`
}
var element = render()
return element
}
// app.js
var bel = require('bel')
var morphdom = require('morphdom')
var list = require('./list.js')
module.exports = function (bears) {
function onselected (id) {
// When a bear is selected, rerender with the newly selected item
// This will use DOM diffing to render, sending the data back down again
morphdom(element, render(id))
}
function render (selected) {
return bel`<div className="app">
<h1>Selected: ${selected}</h1>
${list(bears, onselected)}
</div>`
}
// On first render, we haven't selected anything
var element = render('none')
return element
}
hyperx
is built into bel
but there may be times when you wish to use your
own version or implementation of hyperx
. Or if you prefer to create elements
using bel
without using tagged template literals:
var createElement = require('bel').createElement
var hyperx = require('hyperx')
var bel = hyperx(createElement)
var element = bel`<div class="heading">Hello!</div>`
// ...
var sameElement = createElement('div', { className: 'heading' }, ['Hello!'])
Transform bel template strings into pure and fast document calls with browserify.
e.g. browserify entry.js -g yo-yoify -o bundle.js
Please use yo-yoify which will transform any Function.caller
into plain strings until an alternative solution to identify element creators is implemented.
yo-yoify can resolve the error like below:
TypeError: Function.caller used to retrieve strict caller
or
TypeError: access to strict mode caller function is censored
bel sets attributes with element.setAttribute()
and element.setAttributeNS()
, and creates text nodes with document.createTextNode()
. These approaches mitigate some Cross-Site Scripting (XSS) attacks. You should still code carefully every time you put content from users in the DOM.
bel escapes ${values}
within template literals. Sometimes that is not desirable; for instance, when parsing a string with markdown, which returns HTML.
To unescape values, use the raw
method:
var bel = require('bel')
var raw = require('bel/raw')
function example () {
var output = '<strong>hello there</strong>'
return bel`
<div>${raw(output)}</div>
`
}
Make sure that you are sticking to the security suggestions above, and sanitize any input for malicious code before using raw
.
(c) 2016 Kyle Robinson Young. MIT License
FAQs
A simple extension to native elements
The npm package bel receives a total of 687 weekly downloads. As such, bel popularity was classified as not popular.
We found that bel demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.