HS: disable-scripting security attribute (+1 test)

Add hs-scripting-disabled? helper that walks the ancestor chain checking for the disable-scripting attribute. Guard hs-activate! with this check. Add disable-scripting to generator BOOL_ATTRS so the attribute is emitted in generated test setup code. Regen'd spec. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-05 04:49:39 +00:00
parent 79190e4dac
commit 7190a8b1d2
3 changed files with 20 additions and 6 deletions
--- a/lib/hyperscript/integration.sx
+++ b/lib/hyperscript/integration.sx
@@ -99,6 +99,22 @@
 ;; Called once at page load. Finds all elements with _ attribute,
 ;; compiles their hyperscript, and activates them.

+(define
+  hs-scripting-disabled?
+  (fn
+    (el)
+    (if
+      (= el nil)
+      false
+      (if
+        (dom-get-attr el "disable-scripting")
+        true
+        (hs-scripting-disabled? (dom-parent el))))))
+
+;; ── Boot subtree: for dynamic content ───────────────────────────
+;; Called after HTMX swaps or dynamic DOM insertion.
+;; Only activates elements within the given root.
+
 (define
  hs-activate!
  (fn
@@ -108,7 +124,7 @@
      (let
        ((src (dom-get-attr el "_")) (prev (dom-get-data el "hs-script")))
        (when
-          (and src (not (= src prev)))
+          (and src (not (= src prev)) (not (hs-scripting-disabled? el)))
          (when
            (dom-dispatch el "hyperscript:before:init" nil)
            (hs-log-event! "hyperscript:init")
@@ -132,10 +148,6 @@
                      (safe-handler el))))))
            (dom-dispatch el "hyperscript:after:init" nil)))))))

-;; ── Boot subtree: for dynamic content ───────────────────────────
-;; Called after HTMX swaps or dynamic DOM insertion.
-;; Only activates elements within the given root.
-
 (define
  hs-deactivate!
  (fn
--- a/spec/tests/test-hyperscript-behavioral.sx
+++ b/spec/tests/test-hyperscript-behavioral.sx
@@ -2526,6 +2526,7 @@
  (deftest "on a single div"
    (hs-cleanup!)
    (let ((_el-div (dom-create-element "div")) (_el-d1 (dom-create-element "div")))
+      (dom-set-attr _el-div "disable-scripting" "")
      (dom-set-attr _el-d1 "id" "d1")
      (dom-set-attr _el-d1 "_" "on click add .foo")
      (dom-append (dom-body) _el-div)
--- a/tests/playwright/generate-sx-tests.py
+++ b/tests/playwright/generate-sx-tests.py
@@ -399,7 +399,8 @@ def parse_html(html):
                'children': [], 'parent_idx': None
            }
            BOOL_ATTRS = {'checked', 'selected', 'disabled', 'multiple',
-                          'required', 'readonly', 'autofocus', 'hidden', 'open'}
+                          'required', 'readonly', 'autofocus', 'hidden', 'open',
+                          'disable-scripting'}
            for name, val in attrs:
                if name == 'id': el['id'] = val
                elif name == 'class': el['classes'] = (val or '').split()