A value that's interpolated directly into the template before parsing.
Static values cannot be updated since they don't define a part and are
effectively merged into the literal part of a lit-html template. Because
they are interpolated before the template is parsed as HTML, static values
may occupy positions in the template that regular interpolations may not,
such as tag and attribute names.
UnsafeStatic values are inherently very unsafe, as the name states. They
can break well-formedness assumptions and aren't escaped, and thus a
potential XSS vulnerability if created from user-provided data.
It's recommended that no user templates ever use UnsafeStatic directly,
but directive-like functions are written by library authors to validate
and sanitize values for a specific purpose, before wrapping in an
UnsafeStatic value.
An example would be a tag() directive that lets a template contain tags
whose names aren't known until runtime, like:
html`<${tag(myTagName)}>Whoa</${tag(MyElement)}>`
Here, tag() should validate that myTagName is a valid HTML tag name,
and throw if it contains any illegal characters.
A value that's interpolated directly into the template before parsing.
Static values cannot be updated since they don't define a part and are effectively merged into the literal part of a lit-html template. Because they are interpolated before the template is parsed as HTML, static values may occupy positions in the template that regular interpolations may not, such as tag and attribute names.
UnsafeStatic values are inherently very unsafe, as the name states. They can break well-formedness assumptions and aren't escaped, and thus a potential XSS vulnerability if created from user-provided data.
It's recommended that no user templates ever use UnsafeStatic directly, but directive-like functions are written by library authors to validate and sanitize values for a specific purpose, before wrapping in an UnsafeStatic value.
An example would be a
tag()directive that lets a template contain tags whose names aren't known until runtime, like:html`<${tag(myTagName)}>Whoa</${tag(MyElement)}>`Here,
tag()should validate thatmyTagNameis a valid HTML tag name, and throw if it contains any illegal characters.