Re-add changes from deleted commits

Archmonger · Archmonger · commit f33cc4fa208c · 2025-01-21T02:09:48.000-08:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -54,7 +54,7 @@ artifacts = ["/src/reactpy/static/"]
 artifacts = ["/src/reactpy/static/"]
 
 [tool.hatch.metadata]
-license-files = { paths = ["LICENSE.md"] }
+license-files = { paths = ["LICENSE"] }
 
 [tool.hatch.envs.default]
 installer = "uv"
diff --git a/src/reactpy/html.py b/src/reactpy/html.py
@@ -422,54 +422,10 @@ def _script(
     key is given, the key is inferred to be the content of the script or, lastly its
     'src' attribute if that is given.
 
-    If no attributes are given, the content of the script may evaluate to a function.
-    This function will be called when the script is initially created or when the
-    content of the script changes. The function may itself optionally return a teardown
-    function that is called when the script element is removed from the tree, or when
-    the script content changes.
-
     Notes:
         Do not use unsanitized data from untrusted sources anywhere in your script.
-        Doing so may allow for malicious code injection. Consider this **insecure**
-        code:
-
-        .. code-block::
-
-            my_script = html.script(f"console.log('{user_bio}');")
-
-        A clever attacker could construct ``user_bio`` such that they could escape the
-        string and execute arbitrary code to perform cross-site scripting
-        (`XSS <https://en.wikipedia.org/wiki/Cross-site_scripting>`__`). For example,
-        what if ``user_bio`` were of the form:
-
-        .. code-block:: text
-
-            '); attackerCodeHere(); ('
-
-        This would allow the following Javascript code to be executed client-side:
-
-        .. code-block:: js
-
-            console.log(''); attackerCodeHere(); ('');
-
-        One way to avoid this could be to escape ``user_bio`` so as to prevent the
-        injection of Javascript code. For example:
-
-        .. code-block:: python
-
-            import json
-
-            my_script = html.script(f"console.log({json.dumps(user_bio)});")
-
-        This would prevent the injection of Javascript code by escaping the ``user_bio``
-        string. In this case, the following client-side code would be executed instead:
-
-        .. code-block:: js
-
-            console.log("'); attackerCodeHere(); ('");
-
-        This is a very simple example, but it illustrates the point that you should
-        always be careful when using unsanitized data from untrusted sources.
+        Doing so may allow for malicious code injection
+        (`XSS <https://en.wikipedia.org/wiki/Cross-site_scripting>`__`).
     """
     model: VdomDict = {"tagName": "script"}
 
@@ -481,13 +437,12 @@ def _script(
         if len(children) > 1:
             msg = "'script' nodes may have, at most, one child."
             raise ValueError(msg)
-        elif not isinstance(children[0], str):
+        if not isinstance(children[0], str):
             msg = "The child of a 'script' must be a string."
             raise ValueError(msg)
-        else:
-            model["children"] = children
-            if key is None:
-                key = children[0]
+        model["children"] = children
+        if key is None:
+            key = children[0]
 
     if attributes:
         model["attributes"] = attributes
diff --git a/tests/test_html.py b/tests/test_html.py
@@ -3,47 +3,7 @@
 from reactpy import component, config, html
 from reactpy.testing import DisplayFixture, poll
 from reactpy.utils import Ref
-from tests.tooling.hooks import use_counter, use_toggle
-
-
-async def test_script_mount_unmount(display: DisplayFixture):
-    toggle_is_mounted = Ref()
-
-    @component
-    def Root():
-        is_mounted, toggle_is_mounted.current = use_toggle(True)
-        return html.div(
-            html.div({"id": "mount-state", "data_value": False}),
-            HasScript() if is_mounted else html.div(),
-        )
-
-    @component
-    def HasScript():
-        return html.script(
-            """() => {
-                const mapping = {"false": false, "true": true};
-                const mountStateEl = document.getElementById("mount-state");
-                mountStateEl.setAttribute(
-                    "data-value", !mapping[mountStateEl.getAttribute("data-value")]);
-                return () => mountStateEl.setAttribute(
-                    "data-value", !mapping[mountStateEl.getAttribute("data-value")]);
-            }"""
-        )
-
-    await display.show(Root)
-
-    mount_state = await display.page.wait_for_selector("#mount-state", state="attached")
-    poll_mount_state = poll(mount_state.get_attribute, "data-value")
-
-    await poll_mount_state.until_equals("true")
-
-    toggle_is_mounted.current()
-
-    await poll_mount_state.until_equals("false")
-
-    toggle_is_mounted.current()
-
-    await poll_mount_state.until_equals("true")
+from tests.tooling.hooks import use_counter
 
 
 async def test_script_re_run_on_content_change(display: DisplayFixture):
@@ -54,14 +14,9 @@ def HasScript():
         count, incr_count.current = use_counter(1)
         return html.div(
             html.div({"id": "mount-count", "data_value": 0}),
-            html.div({"id": "unmount-count", "data_value": 0}),
             html.script(
-                f"""() => {{
-                    const mountCountEl = document.getElementById("mount-count");
-                    const unmountCountEl = document.getElementById("unmount-count");
-                    mountCountEl.setAttribute("data-value", {count});
-                    return () => unmountCountEl.setAttribute("data-value", {count});;
-                }}"""
+                'const mountCountEl = document.getElementById("mount-count");'
+                f'mountCountEl.setAttribute("data-value", {count});'
             ),
         )
 
@@ -70,23 +25,11 @@ def HasScript():
     mount_count = await display.page.wait_for_selector("#mount-count", state="attached")
     poll_mount_count = poll(mount_count.get_attribute, "data-value")
 
-    unmount_count = await display.page.wait_for_selector(
-        "#unmount-count", state="attached"
-    )
-    poll_unmount_count = poll(unmount_count.get_attribute, "data-value")
-
     await poll_mount_count.until_equals("1")
-    await poll_unmount_count.until_equals("0")
-
     incr_count.current()
-
     await poll_mount_count.until_equals("2")
-    await poll_unmount_count.until_equals("1")
-
     incr_count.current()
-
     await poll_mount_count.until_equals("3")
-    await poll_unmount_count.until_equals("2")
 
 
 async def test_script_from_src(display: DisplayFixture):
