Should Mithril vnodes be fully JSON-compatible?

[dead-claudia]

Description + Why

Currently, Mithril's vnodes are fully JSON-compatible, and this was previously exploited very deliberately in v0.2.x by mithril-objectify. However, as explained by Dan Abramov, it can run you into trouble if you're not careful with a JSON API. Of course, we typically err towards the side of trusting developers to do the right thing, but a hacked third-party server could just as easily return a {tag: "div", attrs: {innerHTML: "<img src='bad.png' onerror='alert(\"You just got pwned!\")'>"}, children: []}, leaving a server-driven XSS vector and a very annoying time debugging if the JSON happens to have a top-level tag.

Possible Implementation & Open Questions

I'd add a "vnode tag": Symbol.for("m.vnode") to each vnode and have Mithril detect that, falling back to the string "m.vnode tag". For convenience and internal use, I'd add the following method to detect this:

// This would be what I actually use for `vnode["vnode tag"]`
var vnodeTag = typeof Symbol === "function" && Symbol.for
	? Symbol.for("m.vnode")
	: "m.vnode tag"

m.m.vnode.isVnode = function (value) {
	return value && value["vnode.tag"] === vnodeTag
}

The open question is should I even do this? If there's no real significant risk and us documenting our detection (which we already do) is sufficient on its own, this bug could just be closed and if others run into this issue, we just show them the docs.

Is this something you're interested in working on?

Yes, if this ends up materializing into something we decide to do.

[dead-claudia]

This would very explicitly not be in v2, because of how it changes vnode detection. It won't break 99% of pure front-end users, but it will break major libraries like mithril-node-render who rely on tag being the sole source of truth.