Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't mark HTML attribute values as html_safe #41

Closed
ajb opened this issue Jan 6, 2016 · 1 comment
Closed

Can't mark HTML attribute values as html_safe #41

ajb opened this issue Jan 6, 2016 · 1 comment

Comments

@ajb
Copy link

ajb commented Jan 6, 2016

Maybe I'm doing something wrong or reading the spec wrong, but AFAICT, special characters do not have to be HTML-escaped when inside of attribute values.

Here's Erector:

img

And here's Fortitude:

img

This came up because we were rendering a <script type='text/template'> element, and were using underscore templates (<%= variable_name >) inside of a href="" attribute.

Also, this might be an issue for data-* attributes where there may be special characters that hook into Javascript plugins?
@ageweke
Copy link
Owner

ageweke commented Oct 12, 2016

You’re absolutely right here — it turns out there are really only two characters you need to escape inside Fortitude’s attribute values, because it double-quotes them all: " and &. I made the changes to make it do this, and added a relevant test case. It should now be a lot easier to use those templates!

@ageweke ageweke closed this as completed Oct 12, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ageweke @ajb