HS: disable-scripting security attribute (+1 test)

Add hs-scripting-disabled? helper that walks the ancestor chain checking for the disable-scripting attribute. Guard hs-activate! with this check. Add disable-scripting to generator BOOL_ATTRS so the attribute is emitted in generated test setup code. Regen'd spec. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-05 04:49:39 +00:00
parent 79190e4dac
commit 7190a8b1d2
3 changed files with 20 additions and 6 deletions
--- a/lib/hyperscript/integration.sx
+++ b/lib/hyperscript/integration.sx
@@ -99,6 +99,22 @@
 ;; Called once at page load. Finds all elements with _ attribute,
 ;; compiles their hyperscript, and activates them.

+(define
+  hs-scripting-disabled?
+  (fn
+    (el)
+    (if
+      (= el nil)
+      false
+      (if
+        (dom-get-attr el "disable-scripting")
+        true
+        (hs-scripting-disabled? (dom-parent el))))))
+
+;; ── Boot subtree: for dynamic content ───────────────────────────
+;; Called after HTMX swaps or dynamic DOM insertion.
+;; Only activates elements within the given root.
+
 (define
  hs-activate!
  (fn
@@ -108,7 +124,7 @@
      (let
        ((src (dom-get-attr el "_")) (prev (dom-get-data el "hs-script")))
        (when
-          (and src (not (= src prev)))
+          (and src (not (= src prev)) (not (hs-scripting-disabled? el)))
          (when
            (dom-dispatch el "hyperscript:before:init" nil)
            (hs-log-event! "hyperscript:init")
@@ -132,10 +148,6 @@
                      (safe-handler el))))))
            (dom-dispatch el "hyperscript:after:init" nil)))))))

-;; ── Boot subtree: for dynamic content ───────────────────────────
-;; Called after HTMX swaps or dynamic DOM insertion.
-;; Only activates elements within the given root.
-
 (define
  hs-deactivate!
  (fn