New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

can.Mustache doesn't support SafeString #468

Closed
azazel75 opened this Issue Aug 28, 2013 · 10 comments

Comments

Projects
None yet
5 participants
@azazel75

azazel75 commented Aug 28, 2013

According to Handlebars doc at http://handlebarsjs.com/expressions.html#helpers an helper should use Handlebars.SafeString when returning a html string so that it will not be escaped.
Even if can.Mustache doesn't escape strings returned by helpers, it should define it to allow helper interoperability.

@airhadoken

This comment has been minimized.

Show comment
Hide comment
@airhadoken

airhadoken Sep 10, 2013

Contributor

👍 I've found this to be an annoyance when I just want to output <div data-view-id="###"> and forget to triple-brace the Mustache token.

Contributor

airhadoken commented Sep 10, 2013

👍 I've found this to be an annoyance when I just want to output <div data-view-id="###"> and forget to triple-brace the Mustache token.

@justinbmeyer

This comment has been minimized.

Show comment
Hide comment
@justinbmeyer

justinbmeyer Sep 10, 2013

Contributor

You can use

return can.esc("<foo></bar>")

I don't think we can or should support SafeString, it's a strange name and call signature. Having to use new?

Contributor

justinbmeyer commented Sep 10, 2013

You can use

return can.esc("<foo></bar>")

I don't think we can or should support SafeString, it's a strange name and call signature. Having to use new?

@justinbmeyer

This comment has been minimized.

Show comment
Hide comment
@justinbmeyer

justinbmeyer Sep 10, 2013

Contributor

Oh, you want to avoid the triple brace .. while still returning html from a template. That's kinda strange. I am not sure how I feel about that ...

Contributor

justinbmeyer commented Sep 10, 2013

Oh, you want to avoid the triple brace .. while still returning html from a template. That's kinda strange. I am not sure how I feel about that ...

@airhadoken

This comment has been minimized.

Show comment
Hide comment
@airhadoken

airhadoken Sep 10, 2013

Contributor

The behavior of Mustache with helpers is bizarre because I can do {{#some_helper}}{{/some_helper}} and return HTML (usually just a hook) that gets added to the DOM properly, but if I do {{some_helper}} instead it gets escaped.

Note that I fully support escaping HTML by default when dealing with static properties or compute/function return values; I just feel like helpers should get the final say over whether they trust their output.

Contributor

airhadoken commented Sep 10, 2013

The behavior of Mustache with helpers is bizarre because I can do {{#some_helper}}{{/some_helper}} and return HTML (usually just a hook) that gets added to the DOM properly, but if I do {{some_helper}} instead it gets escaped.

Note that I fully support escaping HTML by default when dealing with static properties or compute/function return values; I just feel like helpers should get the final say over whether they trust their output.

@azazel75

This comment has been minimized.

Show comment
Hide comment
@azazel75

azazel75 Sep 11, 2013

actually, i've found that if i return from an helper a string containing html code it gets escaped, but if i return a new String() object it doesn't

azazel75 commented Sep 11, 2013

actually, i've found that if i return from an helper a string containing html code it gets escaped, but if i return a new String() object it doesn't

@azazel75

This comment has been minimized.

Show comment
Hide comment
@azazel75

azazel75 Sep 11, 2013

See http://jsfiddle.net/RZ8QH/1/ for a test of this strange behavior

azazel75 commented Sep 11, 2013

See http://jsfiddle.net/RZ8QH/1/ for a test of this strange behavior

@daffl

This comment has been minimized.

Show comment
Hide comment
@daffl

daffl Sep 24, 2013

Contributor

This is a JavaScript quirk because typeof new String('Bla') === 'object' and typeof 'Bla' === 'string'. I'm not sure if we need to fix anything here...

Contributor

daffl commented Sep 24, 2013

This is a JavaScript quirk because typeof new String('Bla') === 'object' and typeof 'Bla' === 'string'. I'm not sure if we need to fix anything here...

@ghost ghost assigned daffl Sep 25, 2013

@daffl

This comment has been minimized.

Show comment
Hide comment
@daffl

daffl Sep 25, 2013

Contributor

The escaping behaviour should indeed be consistent. I will look into this and see what we can do. I concur with having helper be able to return HTML that doesn't need the triple braces.

Contributor

daffl commented Sep 25, 2013

The escaping behaviour should indeed be consistent. I will look into this and see what we can do. I concur with having helper be able to return HTML that doesn't need the triple braces.

@justinbmeyer

This comment has been minimized.

Show comment
Hide comment
@justinbmeyer

justinbmeyer Sep 25, 2013

Contributor

Yeah, but not handlebars safestring API ...

Sent from my iPhone

On Sep 25, 2013, at 4:41 PM, David Luecke notifications@github.com wrote:

The escaping behaviour should indeed be consistent. I will look into this and see what we can do. I concur with having helper be able to return HTML that doesn't need the triple braces.


Reply to this email directly or view it on GitHub.

Contributor

justinbmeyer commented Sep 25, 2013

Yeah, but not handlebars safestring API ...

Sent from my iPhone

On Sep 25, 2013, at 4:41 PM, David Luecke notifications@github.com wrote:

The escaping behaviour should indeed be consistent. I will look into this and see what we can do. I concur with having helper be able to return HTML that doesn't need the triple braces.


Reply to this email directly or view it on GitHub.

@justinbmeyer

This comment has been minimized.

Show comment
Hide comment
@justinbmeyer

justinbmeyer Oct 25, 2013

Contributor
can.Mustache.safeString = function(str){
return {toString: function(){
  return str
}}
}
Contributor

justinbmeyer commented Oct 25, 2013

can.Mustache.safeString = function(str){
return {toString: function(){
  return str
}}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment