Support unescaped html (#181)

mattesmohr · web-flow · commit 7ac9a1fb286b · 2025-08-07T20:50:59.000+02:00
* Introduce htmlstring to support unescaped html

* Make the comments more explicit
diff --git a/Sources/HTMLKit/Framework/Rendering/Encoding/Encoder.swift b/Sources/HTMLKit/Framework/Rendering/Encoding/Encoder.swift
diff --git a/Sources/HTMLKit/Framework/Rendering/Encoding/HtmlString.swift b/Sources/HTMLKit/Framework/Rendering/Encoding/HtmlString.swift
@@ -0,0 +1,15 @@
+/// A type that remains unescaped during rendering.
+///
+/// > Warning: Use with caution, as this may lead to security vulnerabilities
+/// > if the argument is not properly validated or not trusted.
+@_documentation(visibility: internal)
+public struct HtmlString: Content {
+    
+    /// The wrapped string
+    internal let value: String
+    
+    /// Initializes an html string
+    public init(_ value: String) {
+        self.value = value
+    }
+}
diff --git a/Sources/HTMLKit/Framework/Rendering/Renderer.swift b/Sources/HTMLKit/Framework/Rendering/Renderer.swift
@@ -155,6 +155,9 @@ public struct Renderer {
             case let string as EnvironmentString:
                 try render(envstring: string, on: &result)
                 
+            case let string as HtmlString:
+                result += string.value
+                
             case let doubleValue as Double:
                 result += String(doubleValue)
                 
@@ -501,6 +504,9 @@ public struct Renderer {
             case let string as EnvironmentString:
                 try render(envstring: string, on: &result)
                 
+            case let string as HtmlString:
+                result += string.value
+                
             case let string as String:
                 result += escape(content: string)
                 
diff --git a/Tests/HTMLKitTests/SecurityTests.swift b/Tests/HTMLKitTests/SecurityTests.swift
@@ -111,5 +111,25 @@ final class SecurityTests: XCTestCase {
                        """
         )
     }
+    
+    /// Tests the renderers behaviour when handling a desired unescaped string.
+    ///
+    /// The renderer is expected to emit the string as-is.
+    func testIgnoringHtmlString() throws {
+        
+        let html = "<script></script>"
+        
+        let view = TestView {
+            Paragraph {
+                HtmlString(html)
+            }
+        }
+        
+        XCTAssertEqual(try renderer.render(view: view),
+                       """
+                       <p><script></script></p>
+                       """
+        )
+    }
 }
 
