SSR: Add wp-html and wp-text attribute directive processors

[ockham]

Based on #169.

Per my understanding (and the discussion below), their only difference is that wp-html can contain HTML that is used unescaped, whereas wp-text escapes its value before rendering it.

[ockham]

@luisherranz Looking at #118 (comment), I'm wondering how (if?) wp-text and wp-html need to differ in terms of SSR.

One thing that comes to mind is escaping. Should wp-html run esc_html on the value it is passed? Are there any other differences? 🤔

[luisherranz]

You can't escape the HTML of wp-html. This needs to work:

<?php
wp_store( array( 
  'state' => array(
    'myPlugin' => array(
      'html' => get_some_raw_html_from_somewhere(),
    ),
  ),
) );
?>

<div data-wp-html="state.myPlugin.html">Default content</div>

I am not an expert on the matter, but wp-text should be the safe one and wp-html the unsafe one. We are basically using dangerouslySetInnerHTML underneath in the client.

By the way, should we be more explicit about the risks of wp-html? wp-dangerous-html? 😄

EDIT: I've added that question to the list of decisions that need to be made of the Tracking Issue.

[ockham]

I am not an expert on the matter, but wp-text should be the safe one and wp-html the unsafe one. We are basically using dangerouslySetInnerHTML underneath in the client.

Ah, makes sense! 😅 So I guess I'll add escaping to wp-text then 🤔

By the way, should we be more explicit about the risks of wp-html? wp-dangerous-html? 😄

Maybe 🤔 Close enough to React, I guess.

[ockham]

Opening this for review, now that #169 is in 😊

[DAreRodz]

Looks great to me! ✅

Just adding one missing require_once, and it's ready to go. 😄

Oh, nevermind, I didn't notice it was already addressed.

[ockham]

Thank you @DAreRodz!

I'll rebase to change the prefix to data-wp- 😊