Special Attributes
While most attributes are simply passed on to the HTML, some have special behaviors.
The HTML Escape Hatch
If you're working with pre-rendered assets, output from templates, or output from a JS library, then you might want to pass HTML directly instead of going through Dioxus. In these instances, reach for dangerous_inner_html
.
For example, shipping a markdown-to-Dioxus converter might significantly bloat your final application size. Instead, you'll want to pre-render your markdown to HTML and then include the HTML directly in your output. We use this approach for the Dioxus homepage:
// this should come from a trusted source let contents = "live <b>dangerously</b>"; cx.render(rsx! { div { dangerous_inner_html: "{contents}", } })
Note! This attribute is called "dangerous_inner_html" because it is dangerous to pass it data you don't trust. If you're not careful, you can easily expose cross-site scripting (XSS) attacks to your users.
If you're handling untrusted input, make sure to sanitize your HTML before passing it into
dangerous_inner_html
– or just pass it to a Text Element to escape any HTML tags.
Boolean Attributes
Most attributes, when rendered, will be rendered exactly as the input you provided. However, some attributes are considered "boolean" attributes and just their presence determines whether they affect the output. For these attributes, a provided value of "false"
will cause them to be removed from the target element.
So this RSX wouldn't actually render the hidden
attribute:
cx.render(rsx! { div { hidden: "false", "hello" } })
<div>hello</div>
Not all attributes work like this however. Only the following attributes have this behavior:
allowfullscreen
allowpaymentrequest
async
autofocus
autoplay
checked
controls
default
defer
disabled
formnovalidate
hidden
ismap
itemscope
loop
multiple
muted
nomodule
novalidate
open
playsinline
readonly
required
reversed
selected
truespeed
For any other attributes, a value of "false"
will be sent directly to the DOM.