Skip to content

[v10] Add support for functions in component configs#1896

Open
colinrotherham wants to merge 5 commits intosupport/10.xfrom
component-config-functions
Open

[v10] Add support for functions in component configs#1896
colinrotherham wants to merge 5 commits intosupport/10.xfrom
component-config-functions

Conversation

@colinrotherham
Copy link
Copy Markdown
Contributor

@colinrotherham colinrotherham commented Apr 20, 2026

Description

This PR adds a new function config schema type (alongside string, boolean, object and array types)

Support for array types was added recently in:

JavaScript configuration

Config function values via initAll() and createAll(), for example to configure the character count function:

import { CharacterCount, createAll } from 'nhsuk-frontend'

createAll(CharacterCount, {
  countFunction: (string) => string.length
})

Checklist

@colinrotherham colinrotherham temporarily deployed to nhsuk-frontend-pr-1896 April 20, 2026 11:25 Inactive
@colinrotherham colinrotherham added the Enhancement: feature request New feature or request label Apr 20, 2026
@colinrotherham colinrotherham mentioned this pull request Apr 20, 2026
Open
@colinrotherham colinrotherham force-pushed the character-count-grapheme branch from 608a65c to 94917f8 Compare April 20, 2026 12:42
@colinrotherham colinrotherham force-pushed the component-config-functions branch from 5562f44 to c3c6fc7 Compare April 20, 2026 12:42
@colinrotherham colinrotherham temporarily deployed to nhsuk-frontend-pr-1896 April 20, 2026 12:42 Inactive
@colinrotherham colinrotherham force-pushed the character-count-grapheme branch from 94917f8 to efbb062 Compare April 22, 2026 13:48
@colinrotherham colinrotherham force-pushed the component-config-functions branch from c3c6fc7 to e1a7744 Compare April 22, 2026 13:53
@colinrotherham colinrotherham temporarily deployed to nhsuk-frontend-pr-1896 April 22, 2026 13:53 Inactive
@colinrotherham colinrotherham force-pushed the character-count-grapheme branch from efbb062 to da59959 Compare April 27, 2026 08:37
@colinrotherham colinrotherham force-pushed the component-config-functions branch from e1a7744 to 9ac9e9b Compare April 27, 2026 08:37
@colinrotherham colinrotherham temporarily deployed to nhsuk-frontend-pr-1896 April 27, 2026 08:37 Inactive
@colinrotherham colinrotherham force-pushed the character-count-grapheme branch from da59959 to 7f2165b Compare April 28, 2026 11:15
@colinrotherham colinrotherham force-pushed the component-config-functions branch from 9ac9e9b to 93515cf Compare April 28, 2026 11:30
@colinrotherham colinrotherham temporarily deployed to nhsuk-frontend-pr-1896 April 28, 2026 11:31 Inactive
@colinrotherham colinrotherham changed the base branch from character-count-grapheme to support/10.x April 28, 2026 12:01
@colinrotherham colinrotherham force-pushed the component-config-functions branch from 93515cf to 906201e Compare April 28, 2026 12:01
@colinrotherham colinrotherham temporarily deployed to nhsuk-frontend-pr-1896 April 28, 2026 12:02 Inactive
@colinrotherham colinrotherham temporarily deployed to nhsuk-frontend-pr-1896 April 28, 2026 13:44 Inactive
@colinrotherham colinrotherham linked an issue Apr 28, 2026 that may be closed by this pull request
Character count component counts code points, not characters #1619
Open
@colinrotherham colinrotherham mentioned this pull request Apr 28, 2026
Open
MatMoore
MatMoore reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@MatMoore MatMoore left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes themselves look fine, but I am just wondering if there are any security considerations here, so just wanted to flag that.

It seems like the function type is effectively a way to embed a form of inline script, and if you are otherwise blocking inline scripts via a CSP, is this circumventing that protection?

Comment thread packages/nhsuk-frontend/src/nhsuk/common/configuration/normalise-string.mjs Outdated
Copy link
Copy Markdown
Contributor

@MatMoore MatMoore May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe move this to the top so you can use it in the precondition, as it appears in that expression twice.

Copy link
Copy Markdown
Contributor Author

@colinrotherham colinrotherham May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @MatMoore, done in 3617004

@colinrotherham
Copy link
Copy Markdown
Contributor Author

colinrotherham commented May 5, 2026
edited
Loading

It seems like the function type is effectively a way to embed a form of inline script, and if you are otherwise blocking inline scripts via a CSP, is this circumventing that protection?

Thankfully, if this was configured via inline <script>, it would still be blocked by unsafe-inline

You'll also see that when it comes to HTML:

  1. String data-* attributes do not allow arrays, functions or objects
  2. Function data-* attributes are automatically dropped

Config functions are only allowed to be set via initAll(), createAll() or new Component()

Although with JavaScript being JavaScript, you can always continue to overwrite things at will anyway:

CharacterCount.prototype.updateCount = () => {
  // Overwrite count function
}
class CharacterCountDanger extends CharacterCount {
 updateCount() {
   // Extend count function
 }
}

i.e. Adding a config option hasn't introduced any new ways to override functions

@MatMoore
Copy link
Copy Markdown
Contributor

MatMoore commented May 5, 2026

Ah, that makes sense. I was thinking they would be configurable by data attributes.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 5, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
88.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MatMoore MatMoore MatMoore approved these changes

Assignees

No one assigned

Labels

Enhancement: feature request New feature or request

Projects

Service Manual Sprint Board
Status: Needs review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Character count component counts code points, not characters

2 participants

@colinrotherham @MatMoore