Next.js Discord

Discord Forum

Shiki Help: Converting codeToHAST to JSX

Answered
ᴉuɐpɹɐɐ posted this in #help-forum
Open in Discord
ᴉuɐpɹɐɐOP
everything is just so angry about my code
Answered by joulev
You need to understand when it’s dangerous and when it’s not. In this case the html is generated by shiki and does not have any xss risk so it is safe
View full answer

18 Replies

@ᴉuɐpɹɐɐ everything is just so angry about my code
joulev
if you are using rehypeReact why do you get the hast, just use codeToHtml
the way i understand rehype-react, it takes a html string not a hast
in the first place why even bother with all of this, just dangerouslySetInnerHtml
@ᴉuɐpɹɐɐ fuma says codeToHast but ill try
joulev
Because in fuma’s case, the input to .process() is still a string but it is converted to hast in a previous .use() step
ᴉuɐpɹɐɐOP
ahhhhhhhh
okay
@joulev in the first place why even bother with all of this, just `dangerouslySetInnerHtml`
ᴉuɐpɹɐɐOP
im still set to the idea that dangerouslySetInngerHtml is really dangerous
so just finding ways if there are other ways or jsut accept that its sometimes ok
however it should be less dangerous since the content is SSR'd (meaning its unchanging) and not dynamic like a web code editor
@ᴉuɐpɹɐɐ im still set to the idea that dangerouslySetInngerHtml is really dangerous
joulev
You need to understand when it’s dangerous and when it’s not. In this case the html is generated by shiki and does not have any xss risk so it is safe
Answer
joulev
They saying it’s dangerous doesn’t mean it’s dangerous at all time
@joulev You need to understand when it’s dangerous and when it’s not. In this case the html is generated by shiki and does not have any xss risk so it is safe
ᴉuɐpɹɐɐOP
So whatever i put, even from user input, to shiki, it wont be dangerous because shiki's codeToHtml already sanitize the input?
I mean i can assume that way
Atleast
@ᴉuɐpɹɐɐ So whatever i put, even from user input, to shiki, it wont be dangerous because shiki's codeToHtml already sanitize the input?
joulev
If that’s not the case, why would they even expose the codeToHtml function?
@joulev If that’s not the case, why would they even expose the codeToHtml function?
ᴉuɐpɹɐɐOP
If they are upholding such high standard then I shant worry. Its only natural to be a little bit skeptical of other peoples code.