XSS Protection

[mihaiandreicut]

Q: is there a way to do this, without escape filter, it's ok but it's hard to maintain the template.

Additional Info: Shopify automatically escapes values if they are used in not safe way https://stackoverflow.com/questions/43729435/how-does-shopify-make-their-liquid-templates-safe-avoid-xss

[msangel]

Seems to be that feature is analyzing the DOM tree of the HTML file and if the variable usage is unsafe - it escapes it automatically. This library has no capabilities for HTML parsing. It knows nothing what HTML is.
True, this library has jsoup dependency so technically we can do some predictions if the input is parsed without issues as HTML and do some manipulations based on that. Not sure it's worth it...

Personally, my opinion on this differs: the user must define whenever he wants the output to be safe or not. Perfect case is like this is done in mustache templates family: use {{ and }} for escaped output and {{{ and }}} for unescaped one. Unfortunately, Jekyll/Liquid forces users to use escape and escape_once filters otherwise all the output will be unescaped. And users seems to forget this so Shopify makes assumptions and predictions based on input instead of users.

In conclusion: the library has tooling for introducing such functionality, but pros of the feature is unclear, also it's not documented and so no clear requirements.
Still, can be implemented as an optional feature that is turned off by default. PRs are welcomed 🙂.