After doing a bit of digging and back-and-forth with an LLM, I think I understand the problem now.
By doing escaping solely on the server, it creates two problems:
1. You're leaving escaping up to good behavior which will inevitably lead to some value that needs escaping being missed.
2. You create a double-escape problem on the client as you may need to render the raw output (e.g., rich text) and a server-escaped value would require an "unwinding" on the client.
Beyond this, I also corrected what you pointed out in the docs as that was the opposite of what I intended for that function.
I think the approach will be to do some automatic escaping on the client and then pass some special functions to the render() method on components to allow rendering raw, unescaped user data (i.e., a dangerouslySetInnerHTML equivalent).
If there's anything else specific that you'd add, let me know.
---
You seem like you have a lot of knowledge, but in the future, if you want someone to listen and comprehend what you're saying, avoid the fatalistic, theatrical language and emphasis.
Your point is incredibly helpful and showed me something I wasn't thinking about, but the way you communicated it almost made me ignore it.
If the above isn't correct (or misguided), it'd be best if you just plainly explain why and what should be done instead (and not a wholesale "this could never work, burn it down" response).
By doing escaping solely on the server, it creates two problems:
1. You're leaving escaping up to good behavior which will inevitably lead to some value that needs escaping being missed.
2. You create a double-escape problem on the client as you may need to render the raw output (e.g., rich text) and a server-escaped value would require an "unwinding" on the client.
Beyond this, I also corrected what you pointed out in the docs as that was the opposite of what I intended for that function.
I think the approach will be to do some automatic escaping on the client and then pass some special functions to the render() method on components to allow rendering raw, unescaped user data (i.e., a dangerouslySetInnerHTML equivalent).
If there's anything else specific that you'd add, let me know.
---
You seem like you have a lot of knowledge, but in the future, if you want someone to listen and comprehend what you're saying, avoid the fatalistic, theatrical language and emphasis.
Your point is incredibly helpful and showed me something I wasn't thinking about, but the way you communicated it almost made me ignore it.
If the above isn't correct (or misguided), it'd be best if you just plainly explain why and what should be done instead (and not a wholesale "this could never work, burn it down" response).