Fix SSP/escape bugs, harden column helpers, add tests, docs & CI#7
Merged
Conversation
Bug fixes
- dt2_cols_escape(): both branches returned the same identity renderer, so
the parameter was a no-op and the default (escape = TRUE) rendered raw HTML
instead of escaping it. It now HTML-escapes when TRUE and renders raw when
FALSE.
- Server-side processing: dt2.js encodes query-string KEYS with
encodeURIComponent (e.g. "search[value]" -> "search%5Bvalue%5D"), but the
parser only decoded values. Global search and ordering were therefore never
applied. Keys are now URL-decoded too.
Improvements
- options$columns footgun: dt2() now injects options$columns from the data when
absent, and a new .dt2_name_to_idx() centralises name->index resolution and
warns loudly (instead of silently returning NA) when options$columns is unset
or a name is unknown. All name-based helpers use it.
- Safer JS interpolation via .dt2_js_str() (jsonlite) replaces
sprintf("'%s'", x) in the format helpers, fixing broken output when values
contain quotes.
- Removed redundant local %||% redefinitions and dead .dt2_resolve_cols();
print.dt2_theme() now shows the class field.
Tests
- Add testthat scaffolding and 43 tests covering the fixed bugs and the new
behaviour (escape, SSP key decoding, column resolution/warnings, JS-string
safety, theme print).
Docs, site & CI
- Logo: rebuilt man/figures/logo.svg with explicit dimensions/padding (was
clipped) and renamed from diagrama-2025-09-11.svg; README uses it. Closes #6
- Real R-CMD-check GitHub Actions workflow; README badge points to it. Closes #1
- Runnable @examples for dt2_order/dt2_search_global/dt2_use_buttons/
dt2_language. Closes #2
- Document the tidytemplate build dependency in _pkgdown.yml. Closes #3
- Explain the options$columns pattern in the formatting & getting-started
vignettes. Closes #4
- Reciprocal @Seealso between dt2_buttons() and dt2_use_buttons(). Closes #5
- Grouped pkgdown reference index (was a flat list of 41 functions); README
version badge 0.1.0 -> 0.1.1, CRAN install instructions, author credits
aligned to DESCRIPTION (5 authors).
- Migrate to roxygen2 8.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Review pass over the package: two real bugs fixed, the
options$columnsfootgun closed, JS-string interpolation hardened, a test suite added, plus documentation/site/CI improvements. Closes #1, #2, #3, #4, #5, #6.Bug fixes
dt2_cols_escape()— both branches ofif (escape)returned the same identity renderer, so the parameter was a no-op and the defaultescape = TRUErendered raw HTML instead of escaping it (XSS-prone with untrusted data). Now escapes whenTRUE, renders raw whenFALSE.dt2.jsencodes query-string keys withencodeURIComponent(search[value]→search%5Bvalue%5D,order[0][column]→order%5B0%5D…), but.dt2_parse_ssp_request()only decoded values. Global search and ordering were therefore silently never applied. Keys are now URL-decoded.Improvements
options$columnsfootgun —dt2()now injectsoptions$columnsfrom the data when absent (equivalent to dt2.js's client-side derivation), and a new internal.dt2_name_to_idx()centralises name→index resolution and warns instead of silently returningNAwhen columns are unset or a name is unknown. All name-based helpers use it..dt2_js_str()(viajsonlite) replacessprintf("'%s'", x)in the format helpers, fixing invalid JS when values contain quotes.%||%redefinitions and dead.dt2_resolve_cols();print.dt2_theme()now shows theclassfield.Tests
testthatscaffolding + 43 tests covering the fixed bugs and the new behaviour (escape, SSP key decoding, column resolution/warnings, JS-string safety, theme print). All passing locally.Docs, site & CI
man/figures/logo.svgwith explicit dimensions/padding (was clipping the bottom) and renamed fromdiagrama-2025-09-11.svg; README uses it. (Use the sharper logo.svg in the README #6)@examplesfordt2_order,dt2_search_global,dt2_use_buttons,dt2_language. (Add runnable @examples to 4 exported helpers #2)tidytemplatebuild dependency in_pkgdown.yml. (Document the tidytemplate build dependency in _pkgdown.yml #3)options$columnspattern in the formatting & getting-started vignettes. (Explain the options$columns pattern in vignettes #4)@seealsobetweendt2_buttons()anddt2_use_buttons(). (Clarify overlap between dt2_buttons() and dt2_use_buttons() #5)0.1.0→0.1.1, CRAN install instructions, author credits aligned toDESCRIPTION(5 authors).Notes for the reviewer
devtools::check()before merge (CI will now run it too).🤖 Generated with Claude Code