{"id":13526924,"url":"https://github.com/fusionjs/fusion-core","last_synced_at":"2025-04-01T08:30:39.720Z","repository":{"id":57372162,"uuid":"108948397","full_name":"fusionjs/fusion-core","owner":"fusionjs","description":"Migrated to https://github.com/fusionjs/fusionjs","archived":true,"fork":false,"pushed_at":"2019-04-30T21:43:17.000Z","size":1117,"stargazers_count":630,"open_issues_count":15,"forks_count":45,"subscribers_count":17,"default_branch":"master","last_synced_at":"2024-10-21T00:35:14.108Z","etag":null,"topics":["fusion","fusionjs"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fusionjs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-10-31T05:13:48.000Z","updated_at":"2024-02-08T19:53:27.000Z","dependencies_parsed_at":"2022-09-10T02:11:09.777Z","dependency_job_id":null,"html_url":"https://github.com/fusionjs/fusion-core","commit_stats":null,"previous_names":[],"tags_count":81,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fusionjs%2Ffusion-core","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fusionjs%2Ffusion-core/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fusionjs%2Ffusion-core/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fusionjs%2Ffusion-core/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fusionjs","download_url":"https://codeload.github.com/fusionjs/fusion-core/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222709941,"owners_count":17026767,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fusion","fusionjs"],"created_at":"2024-08-01T06:01:37.553Z","updated_at":"2024-11-02T11:31:49.383Z","avatar_url":"https://github.com/fusionjs.png","language":"JavaScript","readme":"# fusion-core\n\n[![Build status](https://badge.buildkite.com/f21b82191811f668ef6fe24f6151058a84fa2c645cfa8810d0.svg?branch=master)](https://buildkite.com/uberopensource/fusion-core)\n\nThe `fusion-core` package provides a generic entry point class for FusionJS applications that is used by the FusionJS runtime. It also provides primitives for implementing server-side code, and utilities for assembling plugins into an application to augment its functionality.\n\nIf you're using React, you should use the [`fusion-react`](https://github.com/fusionjs/fusion-react) package instead of `fusion-core`.\n\n---\n\n### Table of contents\n\n* [Usage](#usage)\n* [API](#api)\n  * [App](#app)\n  * [Dependency registration](#dependency-registration)\n  * [Plugin](#plugin)\n  * [Token](#token)\n  * [Memoization](#memoization)\n  * [Middleware](#middleware)\n  * [Sanitization](#sanitization)\n* [Examples](#examples)\n\n---\n\n### Usage\n\n```js\n// main.js\nimport React from 'react';\nimport ReactDOM from 'react-dom';\nimport {renderToString} from 'react-dom/server';\nimport App from 'fusion-core';\n\nconst el = \u003cdiv\u003eHello\u003c/div\u003e;\n\nconst render = el =\u003e\n  __NODE__\n    ? `\u003cdiv id=\"root\"\u003e${renderToString(el)}\u003c/div\u003e`\n    : ReactDOM.render(el, document.getElementById('root'));\n\nexport default function() {\n  return new App(el, render);\n}\n```\n\n---\n\n### API\n\n#### App\n\n```js\nimport App from 'fusion-core';\n```\n\nA class that represents an application. An application is responsible for rendering (both virtual dom and server-side rendering). The functionality of an application is extended via [plugins](#plugin).\n\n**Constructor**\n\n```flow\nconst app: App = new App(el: any, render: Plugin\u003cRender\u003e|Render);\n```\n\n* `el: any` - a template root. In a React application, this would be a React element created via `React.createElement` or a JSX expression.\n* `render: Plugin\u003cRender\u003e|Render` - defines how rendering should occur. A Plugin should provide a value of type `Render`\n  * `type Render = (el:any) =\u003e any`\n\n**app.register**\n\n```flow\napp.register(plugin: Plugin);\napp.register(token: Token, plugin: Plugin);\napp.register(token: Token, value: any);\n```\n\nCall this method to register a plugin or configuration value into a Fusion.js application.\n\nYou can optionally pass a token as the first argument to associate the plugin/value to the token, so that they can be referenced by other plugins within Fusion.js' dependency injection system.\n\n* `plugin: Plugin` - a [Plugin](#plugin) created via [`createPlugin`](#createplugin)\n* `token: Token` - a [Token](#token) created via [`createToken`](#createtoken)\n* `value: any` - a configuration value\n* returns `undefined`\n\n**app.middleware**\n\n```js\napp.middleware((deps: Object\u003cstring, Token\u003e), (deps: Object) =\u003e Middleware);\napp.middleware((middleware: Middleware));\n```\n\n* `deps: Object\u003cstring,Token\u003e` - A map of local dependency names to [DI tokens](#token)\n* `middleware: Middleware` - a [middleware](#middleware)\n* returns `undefined`\n\nThis method is a shortcut for registering middleware plugins. Typically, you should write middlewares as plugins so you can organize different middlewares into different files.\n\n**app.enhance**\n\n```flow\napp.enhance(token: Token, value: any =\u003e Plugin | Value);\n```\n\nThis method is useful for composing / enhancing functionality of existing tokens in the DI system.\n\n**app.cleanup**\n\n```js\nawait app.cleanup();\n```\n\nCalls all plugin cleanup methods. Useful for testing.\n\n* returns `Promise`\n\n---\n\n#### Dependency registration\n\n##### ElementToken\n\n```js\nimport App, {ElementToken} from 'fusion-core';\napp.register(ElementToken, element);\n```\n\nThe element token is used to register the root element with the fusion app. This is typically a react/preact element.\n\n##### RenderToken\n\n```js\nimport ReactDOM from 'react-dom';\nimport {renderToString} from 'react-dom/server';\nconst render = el =\u003e\n  __NODE__\n    ? renderToString(el)\n    : ReactDOM.render(el, document.getElementById('root'));\nimport App, {RenderToken} from 'fusion-core';\nconst app = new App();\napp.register(RenderToken, render);\n```\n\nThe render token is used to register the render function with the fusion app. This is a function that knows how to\nrender your application on the server/browser, and allows `fusion-core` to remain agnostic of the virtualdom library.\n\n##### SSRDeciderToken\n\n```js\nimport App, {SSRDeciderToken} from 'fusion-core';\napp.enhance(SSRDeciderToken, SSRDeciderEnhancer);\n```\n\nThs SSRDeciderToken can be enhanced to control server rendering logic.\n\n##### HttpServerToken\n\n```js\nimport App, {HttpServerToken} from 'fusion-core';\napp.register(HttpServerToken, server);\n```\n\nThe HttpServerToken is used to register the current server as a dependency that can be utilized from plugins that require\naccess to it. This is normally not required but is available for specific usage cases.\n\n---\n\n#### Plugin\n\nA plugin encapsulates some functionality into a single coherent package that exposes a programmatic API and/or installs middlewares into an application.\n\nPlugins can be created via `createPlugin`\n\n```flow\ntype Plugin {\n  deps: Object\u003cstring, Token\u003e,\n  provides: (deps: Object) =\u003e any,\n  middleware: (deps: Object, service: any) =\u003e Middleware,\n  cleanup: ?(service: any) =\u003e void\n}\n```\n\n##### createPlugin\n\n```js\nimport {createPlugin} from 'fusion-core';\n```\n\nCreates a plugin that can be registered via `app.register()`\n\n```flow\nconst plugin: Plugin = createPlugin({\n  deps: Object,\n  provides: (deps: Object) =\u003e any,\n  middleware: (deps: Object, service: any) =\u003e Middleware,\n  cleanup: ?(service: any) =\u003e void\n});\n```\n\n* `deps: Object\u003cstring, Token\u003e` - A map of local dependency names to [DI tokens](#token)\n* `provides: (deps: Object) =\u003e any` - A function that provides a service\n* `middleware: (deps: Object, service: any) =\u003e Middleware` - A function that provides a middleware\n* `cleanup: ?(service: any)` =\u003e Runs when `app.cleanup` is called. Useful for tests\n* returns `plugin: Plugin` - A Fusion.js plugin\n\n---\n\n#### Token\n\nA token is a label that can be associated to a plugin or configuration when they are registered to an application. Other plugins can then import them via dependency injection, by mapping a object key in `deps` to a token\n\n```flow\ntype Token {\n  name: string,\n  ref: mixed,\n  type: number,\n  optional: ?Token,\n}\n```\n\n##### createToken\n\n```flow\nconst token:Token = createToken(name: string);\n```\n\n* `name: string` - a human-readable name for the token. Used for generating useful error messages.\n* returns `token: Token`\n\n---\n\n#### Memoization\n\n```flow\nimport {memoize} from 'fusion-core';\n```\n\nSometimes, it's useful to maintain the same instance of a plugin associated with a request lifecycle. For example, session state.\n\nFusion.js provides a `memoize` utility function to memoize per-request instances.\n\n```js\nconst memoized = {from: memoize((fn: (ctx: Context) =\u003e any))};\n```\n\n* `fn: (ctx: Context) =\u003e any` - A function to be memoized\n* returns `memoized: (ctx: Context) =\u003e any`\n\nIdiomatically, Fusion.js plugins provide memoized instances via a `from` method. This method is meant to be called from a [middleware](#middleware):\n\n```js\ncreatePlugin({\n  deps: {Session: SessionToken},\n  middleware({Session}) {\n    return (ctx, next) =\u003e {\n      const state = Session.from(ctx);\n    }\n  }\n}\n```\n\n---\n\n#### Middleware\n\n```flow\ntype Middleware = (ctx: Context, next: () =\u003e Promise) =\u003e Promise\n```\n\n* `ctx: Context` - a [Context](#context)\n* `next: () =\u003e Promise` - An asynchronous function call that represents rendering\n\nA middleware function is essentially a [Koa](http://koajs.com/) middleware, a function that takes two argument: a `ctx` object that has some FusionJS-specific properties, and a `next` callback function.\nHowever, it has some additional properties on `ctx` and can run both on the `server` and the `browser`.\n\nIn FusionJS, the `next()` call represents the time when virtual dom rendering happens. Typically, you'll want to run all your logic before that, and simply have a `return next()` statement at the end of the function. Even in cases where virtual DOM rendering is not applicable, this pattern is still the simplest way to write a middleware.\n\nIn a few more advanced cases, however, you might want to do things _after_ virtual dom rendering. In that case, you can call `await next()` instead:\n\n```js\nconst middleware = () =\u003e async (ctx, next) =\u003e {\n  // this happens before virtual dom rendering\n  const start = new Date();\n\n  await next();\n\n  // this happens after virtual rendeing, but before the response is sent to the browser\n  console.log('timing: ', new Date() - start);\n};\n```\n\nPlugins can add dependency injected middlewares.\n\n```js\n// fusion-plugin-some-api\nconst APIPlugin = createPlugin({\n  deps: {\n    logger: LoggerToken,\n  },\n  provides: ({logger}) =\u003e {\n    return new APIClient(logger);\n  },\n  middleware: ({logger}, apiClient) =\u003e {\n    return async (ctx, next) =\u003e {\n      // do middleware things...\n      await next();\n      // do middleware things...\n    };\n  },\n});\n```\n\n##### Context\n\nMiddlewares receive a `ctx` object as their first argument. This object has a property called `element` in both server and client.\n\n* `ctx: Object`\n  * `element: Object`\n\nAdditionally, when server-side rendering a page, FusionJS sets `ctx.template` to an object with the following properties:\n\n* `ctx: Object`\n  * `template: Object`\n    * `htmlAttrs: Object` - attributes for the `\u003chtml\u003e` tag. For example `{lang: 'en-US'}` turns into `\u003chtml lang=\"en-US\"\u003e`. Default: empty object\n    * `bodyAttrs: Object` - attributes for the `\u003cbody\u003e` tag. For example `{test: 'test'}` turns into `\u003cbody test=\"test\"\u003e`. Default: empty object\n    * `title: string` - The content for the `\u003ctitle\u003e` tag. Default: empty string\n    * `head: Array\u003cSanitizedHTML\u003e` - A list of [sanitized HTML strings](#html-sanitization). Default: empty array\n    * `body: Array\u003cSanitizedHTML\u003e` - A list of [sanitized HTML strings](#html-sanitization). Default: empty array\n\nWhen a request does not require a server-side render, `ctx.body` follows regular Koa semantics.\n\nIn the server, `ctx` also exposes the same properties as a [Koa context](http://koajs.com/#context)\n\n* `ctx: Object`\n  * `req: http.IncomingMessage` - [Node's `request` object](https://nodejs.org/api/http.html#http_class_http_incomingmessage)\n  * `res: Response` - [Node's `response` object](https://nodejs.org/api/http.html#http_class_http_serverresponse)\n  * `request: Request` - [Koa's `request` object](https://koajs.com/#request): \u003cdetails\u003e\u003csummary\u003eView Koa request details\u003c/summary\u003e\n    * `header: Object` - alias of `request.headers`\n    * `headers: Object` - map of parsed HTTP headers\n    * `method: string` - HTTP method\n    * `url: string` - request URL\n    * `originalUrl: string` - same as `url`, except that `url` may be modified (e.g. for URL rewriting)\n    * `path: string` - request pathname\n    * `query: Object` - parsed querystring as an object\n    * `querystring: string` - querystring without `?`\n    * `host: string` - host and port\n    * `hostname: string` - get hostname when present. Supports X-Forwarded-Host when app.proxy is true, otherwise Host is used\n    * `length:number` - return request Content-Length as a number when present, or undefined.\n    * `origin: string` - request origin, including protocol and host\n    * `href: string` - full URL including protocol, host, and URL\n    * `fresh: boolean` - check for cache negotiation\n    * `stale: boolean` - inverse of `fresh`\n    * `socket: Socket` - request socket\n    * `protocol: string` - return request protocol, \"https\" or \"http\". Supports X-Forwarded-Proto when app.proxy is true\n    * `secure: boolean` - shorthand for ctx.protocol == \"https\" to check if a request was issued via TLS.\n    * `ip: string` - remote IP address\n    * `ips: Array\u003cstring\u003e` - proxy IPs\n    * `subdomains: Array\u003cstring\u003e` - return subdomains as an array.For example, if the domain is \"tobi.ferrets.example.com\": If app.subdomainOffset is not set, ctx.subdomains is \\[\"ferrets\", \"tobi\"\\]\n    * `is: (...types: ...string) =\u003e boolean` - request type check `is('json', 'urlencoded')`\n    * `accepts: (...types: ...string) =\u003e boolean` - request MIME type check\n    * `acceptsEncodings: (...encodings: ...string) =\u003e boolean` - check if encodings are acceptable\n    * `acceptsCharset: (...charsets: ...string) =\u003e boolean` - check if charsets are acceptable\n    * `acceptsLanguages: (...languages: ...string) =\u003e boolean` - check if langs are acceptable\n    * `get: (name: String) =\u003e string` - returns a header field\n  \u003c/details\u003e\n\n  * `response: Response` - [Koa's `response` object](https://koajs.com/#response): \u003cdetails\u003e\u003csummary\u003eView Koa response details\u003c/summary\u003e\n    * `header: Object` - alias of `request.headers`\n    * `headers: Object` - map of parsed HTTP headers\n    * `socket: Socket` - response socket\n    * `status: String` - response status. By default, `response.status` is set to `404` unlike node's `res.statusCode` which defaults to `200`.\n    * `message: String` - response status message. By default, `response.message` is associated with `response.status`.\n    * `length: Number` - response Content-Length as a number when present, or deduce from `ctx.body` when possible, or `undefined`.\n    * `body: String, Buffer, Stream, Object(JSON), null` - get response body\n    * `get: (name: String) =\u003e string` - returns a header field\n    * `set: (field: String, value: String) =\u003e undefined` - set response header `field` to `value`\n    * `set: (fields: Object) =\u003e undefined` - set response `fields`\n    * `append: (field: String, value: String) =\u003e undefined` - append response header `field` with `value`\n    * `remove: (field: String) =\u003e undefined` - remove header `field`\n    * `type: String` - response `Content-Type`\n    * `is: (...types: ...string) =\u003e boolean` - response type check `is('json', 'urlencoded')`\n    * `redirect: (url: String, alt: ?String) =\u003e undefined`- perform a 302 redirect to `url`\n    * `attachment (filename: ?String) =\u003e undefined` - set `Content-Disposition` to \"attachment\" to signal the client to prompt for download. Optionally specify the `filename` of the download.\n    * `headerSent: boolean` - check if a response header has already been sent\n    * `lastModified: Date` - `Last-Modified` header as a `Date`\n    * `etag: String` - set the ETag of a response including the wrapped `\"`s.\n    * `vary: (field: String) =\u003e String` - vary on `field`\n    * `flushHeaders () =\u003e undefined` - flush any set headers, and begin the body\n    \u003c/details\u003e\n\n  * `cookies: {get, set}` - cookies based on [Cookie Module](https://github.com/pillarjs/cookies): \u003cdetails\u003e\u003csummary\u003eView Koa cookies details\u003c/summary\u003e\n    * `get: (name: string, options: ?Object) =\u003e string` - get a cookie\n      * `name: string`\n      * `options: {signed: boolean}`\n    * `set: (name: string, value: string, options: ?Object)`\n      * `name: string`\n      * `value: string`\n      * `options: Object` - Optional\n        * `maxAge: number` - a number representing the milliseconds from Date.now() for expiry\n        * `signed: boolean` - sign the cookie value\n        * `expires: Date` - a Date for cookie expiration\n        * `path: string` - cookie path, /' by default\n        * `domain: string` - cookie domain\n        * `secure: boolean` - secure cookie\n        * `httpOnly: boolean` - server-accessible cookie, true by default\n        * `overwrite: boolean` - a boolean indicating whether to overwrite previously set cookies of the same name (false by default). If this is true, all cookies set during the same request with the same name (regardless of path or domain) are filtered out of the Set-Cookie header when setting this cookie.\n  \u003c/details\u003e\n\n  * `state: Object` - recommended namespace for passing information through middleware and to your frontend views `ctx.state.user = await User.find(id)`\n  * `throw: (status: ?number, message: ?string, properties: ?Object) =\u003e void` - throws an error\n    * `status: number` - HTTP status code\n    * `message: string` - error message\n    * `properties: Object` - is merged to the error object\n  * `assert: (value: any, status: ?number, message: ?string, properties: ?Object)` - throws if `value` is falsy. Uses [Assert](https://github.com/jshttp/http-assert)\n    * `value: any`\n    * `status: number` - HTTP status code\n    * `message: string` - error message\n    * `properties: Object` - is merged to the error object\n  * `respond: boolean` - set to true to bypass Koa's built-in response handling. You should not use this flag.\n  * `app: Object` - a reference to the Koa instance\n\n#### Sanitization\n\n**html**\n\n```js\nimport {html} from 'fusion-core';\n```\n\nA template tag that creates safe HTML objects that are compatible with `ctx.template.head` and `ctx.template.body`. Template string interpolations are escaped. Use this function to prevent XSS attacks.\n\n```flow\nconst sanitized: SanitizedHTML = html`\u003cmeta name=\"viewport\" content=\"width=device-width, initial-scale=1\"\u003e`\n```\n\n**escape**\n\n```js\nimport {escape} from 'fusion-core';\n```\n\nEscapes HTML\n\n```flow\nconst escaped:string = escape(value: string)\n```\n\n* `value: string` - the string to be escaped\n\n**unescape**\n\n```js\nimport {unescape} from 'fusion-core';\n```\n\nUnescapes HTML\n\n```flow\nconst unescaped:string = unescape(value: string)\n```\n\n* `value: string` - the string to be unescaped\n\n**dangerouslySetHTML**\n\n```js\nimport {dangerouslySetHTML} from 'fusion-core';\n```\n\nA function that blindly creates a trusted SanitizedHTML object without sanitizing against XSS. Do not use this function unless you have manually sanitized your input and written tests against XSS attacks.\n\n```flow\nconst trusted:string = dangerouslySetHTML(value: string)\n```\n\n* `value: string` - the string to be trusted\n\n---\n\n### Examples\n\n#### Dependency injection\n\nTo use plugins, you need to register them with your Fusion.js application. You do this by calling\n`app.register` with the plugin and a token for that plugin. The token is a value used to keep track of\nwhat plugins are registered, and to allow plugins to depend on one another.\n\nYou can think of Tokens as names of interfaces. There's a list of common tokens in the `fusion-tokens` package.\n\nHere's how you create a plugin:\n\n```js\nimport {createPlugin} from 'fusion-core';\n// fusion-plugin-console-logger\nconst ConsoleLoggerPlugin = createPlugin({\n  provides: () =\u003e {\n    return console;\n  },\n});\n```\n\nAnd here's how you register it:\n\n```js\n// src/main.js\nimport ConsoleLoggerPlugin from 'fusion-plugin-console-logger';\nimport {LoggerToken} from 'fusion-tokens';\nimport App from 'fusion-core';\n\nexport default function main() {\n  const app = new App(...);\n  app.register(LoggerToken, ConsoleLoggerPlugin);\n  return app;\n}\n```\n\nNow let's say we have a plugin that requires a `logger`. We can map `logger` to `LoggerToken` to inject the logger provided by `ConsoleLoggerPlugin` to the `logger` variable.\n\n```js\n// fusion-plugin-some-api\nimport {createPlugin} from 'fusion-core';\nimport {LoggerToken} from 'fusion-tokens';\n\nconst APIPlugin = createPlugin({\n  deps: {\n    logger: LoggerToken,\n  },\n  provides: ({logger}) =\u003e {\n    logger.log('Hello world');\n    return new APIClient(logger);\n  },\n});\n```\n\nThe API plugin is declaring that it needs a logger that matches the API documented by the `LoggerToken`. The user then provides an implementation of that logger by registering the `fusion-plugin-console-logger` plugin with the `LoggerToken`.\n\n#### Implementing HTTP endpoints\n\nYou can use a plugin to implement a RESTful HTTP endpoint. To achieve this, run code conditionally based on the URL of the request\n\n```js\napp.middleware(async (ctx, next) =\u003e {\n  if (ctx.method === 'GET' \u0026\u0026 ctx.path === '/api/v1/users') {\n    ctx.body = await getUsers();\n  }\n  return next();\n});\n```\n\n#### Serialization and hydration\n\nA plugin can be atomically responsible for serialization/deserialization of data from the server to the client.\n\nThe example below shows a plugin that grabs the project version from package.json and logs it in the browser:\n\n```js\n// plugins/version-plugin.js\nimport fs from 'fs';\nimport {html, unescape, createPlugin} from 'fusion-core'; // html sanitization\n\nexport default createPlugin({\n  middleware: () =\u003e {\n    const data = __NODE__ \u0026\u0026 JSON.parse(fs.readFileSync('package.json').toString());\n    return async (ctx, next) =\u003e {\n      if (__NODE__) {\n        ctx.template.head.push(html`\u003cmeta id=\"app-version\" content=\"${data.version}\"\u003e`);\n        return next();\n      } else {\n        const version = unescape(document.getElementById('app-version').content);\n        console.log(`Version: ${version}`);\n        return next();\n      }\n    });\n  }\n});\n```\n\nWe can then consume the plugin like this:\n\n```js\n// main.js\nimport React from 'react';\nimport App from 'fusion-core';\nimport VersionPlugin from './plugins/version-plugin';\n\nconst root = \u003cdiv\u003eHello world\u003c/div\u003e;\n\nconst render = el =\u003e\n  __NODE__ ? renderToString(el) : render(el, document.getElementById('root'));\n\nexport default function() {\n  const app = new App(root, render);\n  app.register(VersionPlugin);\n  return app;\n}\n```\n\n#### HTML sanitization\n\nDefault-on HTML sanitization is important for preventing security threats such as XSS attacks.\n\nFusion automatically sanitizes `htmlAttrs` and `title`. When pushing HTML strings to `head` or `body`, you must use the `html` template tag to mark your HTML as sanitized:\n\n```js\nimport {html} from 'fusion-core';\n\nconst middleware = (ctx, next) =\u003e {\n  if (ctx.element) {\n    const userData = await getUserData();\n    // userData can't be trusted, and is automatically escaped\n    ctx.template.body.push(html`\u003cdiv\u003e${userData}\u003c/div\u003e`)\n  }\n  return next();\n}\n```\n\nIf `userData` above was `\u003cscript\u003ealert(1)\u003c/script\u003e`, ththe string would be automatically turned into `\u003cdiv\u003e\\u003Cscript\\u003Ealert(1)\\u003C/script\\u003E\u003c/div\u003e`. Note that only `userData` is escaped, but the HTML in your code stays intact.\n\nIf your HTML is complex and needs to be broken into smaller strings, you can also nest sanitized HTML strings like this:\n\n```js\nconst notUserData = html`\u003ch1\u003eHello\u003c/h1\u003e`;\nconst body = html`\u003cdiv\u003e${notUserData}\u003c/div\u003e`;\n```\n\nNote that you cannot mix sanitized HTML with unsanitized strings:\n\n```js\nctx.template.body.push(html`\u003ch1\u003eSafe\u003c/h1\u003e` + 'not safe'); // will throw an error when rendered\n```\n\nAlso note that only template strings can have template tags (i.e. \u003ccode\u003ehtml\u0026#x60;\u0026lt;div\u0026gt;\u0026lt;/div\u0026gt;\u0026#x60;\u003c/code\u003e). The following are NOT valid Javascript: `html\"\u003cdiv\u003e\u003c/div\u003e\"` and `html'\u003cdiv\u003e\u003c/div\u003e'`.\n\nIf you get an \u003ccode\u003eUnsanitized html. You must use html\u0026#x60;[your html here]\u0026#x60;\u003c/code\u003e error, remember to prepend the `html` template tag to your template string.\n\nIf you have already taken steps to sanitize your input against XSS and don't wish to re-sanitize it, you can use `dangerouslySetHTML(string)` to let Fusion render the unescaped dynamic string.\n\n#### Enhancing a dependency\n\nIf you wanted to add a header to every request sent using the registered `fetch`.\n\n```js\napp.register(FetchToken, window.fetch);\napp.enhance(FetchToken, fetch =\u003e {\n  return (url, params = {}) =\u003e {\n    return fetch(url, {\n      ...params,\n      headers: {\n        ...params.headers,\n        'x-test': 'test',\n      },\n    });\n  };\n});\n```\n\nYou can also return a `Plugin` from the enhancer function, which `provides` the enhanced value, allowing\nthe enhancer to have dependencies and even middleware.\n\n```js\napp.register(FetchToken, window.fetch);\napp.enhance(FetchToken, fetch =\u003e {\n  return createPlugin({\n    provides: () =\u003e (url, params = {}) =\u003e {\n      return fetch(url, {\n        ...params,\n        headers: {\n          ...params.headers,\n          'x-test': 'test',\n        },\n      });\n    },\n  });\n});\n```\n\n#### Controlling SSR behavior\n\nBy default we do not perfrom SSR for any paths that match the following extensions: js, gif, jpg, png, pdf and json. You can control SSR behavior by enhancing the SSRDeciderToken. This will give you the ability to apply custom logic around which routes go through the renderer. You may enhance the SSRDeciderToken with either a function, or a plugin if you need dependencies.\n\n```js\nimport {SSRDeciderToken} from 'fusion-core';\napp.enhance(SSRDeciderToken, decide =\u003e ctx =\u003e\n  decide(ctx) \u0026\u0026 !ctx.path.match(/ignore-ssr-route/)\n);\n```\n","funding_links":[],"categories":["JavaScript"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffusionjs%2Ffusion-core","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffusionjs%2Ffusion-core","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffusionjs%2Ffusion-core/lists"}