feat(html): add serializableEvent sanitizer and tests for event serialization #1430
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…lization - Introduce `serializableEvent` in `render.ts` to sanitize DOM events, making them serializable by extracting a safe subset of properties. - Add allow-lists for event and event target properties to control what gets serialized. - Update `render.test.ts` to include comprehensive tests for `serializableEvent`, covering Event, KeyboardEvent, MouseEvent, InputEvent (with target value), and CustomEvent (with detail). - Ensure all serialized events are plain objects suitable for structured cloning.
There was a problem hiding this comment.
Pull Request Overview
Adds a serializer for DOM events in render.ts and validates it with new tests.
- Implements
serializableEventto extract an allow-listed subset of event and target properties and ensure plain-object serialization. - Defines property allow-lists (
allowListedEventPropertiesandallowListedEventTargetProperties) and makessanitizeEventdefault to useserializableEvent. - Adds comprehensive tests in
render.test.tscovering generic Event, KeyboardEvent, MouseEvent, InputEvent (with target value), and CustomEvent (with detail).
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| packages/html/src/render.ts | Introduced serializableEvent, allow-lists for event/target properties, and set it as the default sanitizer. |
| packages/html/test/render.test.ts | Imported and tested serializableEvent, added global event constructors, and helper to verify plain-object serialization. |
Comments suppressed due to low confidence (2)
packages/html/src/render.ts:361
- The generic
<T>return type may be misleading since the function always returns a plain object. Consider specifying a concrete return type likeRecord<string, any>or defining a dedicated serializable event interface.
export function serializableEvent<T>(event: Event): T {
packages/html/src/render.ts:320
- [nitpick] To improve clarity, consider renaming
allowListedEventPropertiesandallowListedEventTargetPropertiestoallowedEventPropertiesandallowedEventTargetProperties, respectively, so the naming more directly reflects their purpose.
const allowListedEventProperties = [
Comment on lines
369
to
371
| targetObject[property] = event.target?.[property as keyof EventTarget]; | ||
| } | ||
| if (Object.keys(targetObject).length > 0) eventObject.target = targetObject; |
There was a problem hiding this comment.
Consider checking for at least one non-undefined property in targetObject before assigning it to eventObject.target, so you don’t include an empty target object for events without relevant target properties.
Suggested change
| targetObject[property] = event.target?.[property as keyof EventTarget]; | |
| } | |
| if (Object.keys(targetObject).length > 0) eventObject.target = targetObject; | |
| const value = event.target?.[property as keyof EventTarget]; | |
| if (value !== undefined) { | |
| targetObject[property] = value; | |
| } | |
| } | |
| if (Object.keys(targetObject).length > 0) { | |
| eventObject.target = targetObject; | |
| } |
There was a problem hiding this comment.
cubic reviewed 2 files and found no issues. Review PR in cubic.dev.
jsantell
approved these changes
Jul 17, 2025
| if (Object.keys(targetObject).length > 0) eventObject.target = targetObject; | ||
|
|
||
| if ((event as CustomEvent).detail !== undefined) { | ||
| eventObject.detail = (event as CustomEvent).detail; |
There was a problem hiding this comment.
detail could contain anything, but the serialization cycle should at least sever e.g. element references
There was a problem hiding this comment.
added comment. my understanding is that only our own custom elements can trigger those, right?
There was a problem hiding this comment.
yes, or at least no CustomEvents fired from default browser interaction
- verify that not allow listed fields are actually filtered
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
serializableEventinrender.tsto sanitize DOM events, making them serializable by extracting a safe subset of properties.render.test.tsto include comprehensive tests forserializableEvent, covering Event, KeyboardEvent, MouseEvent, InputEvent (with target value), and CustomEvent (with detail).Summary by cubic
Added a serializableEvent sanitizer to extract a safe, serializable subset of DOM event properties, and added tests to ensure correct event serialization.