Permalink
Browse files

Escape HTML by default in templates.

  • Loading branch information...
1 parent 23b33cc commit e7cf774b482a4dd6bf043bfafdf283cd8236fce6 @cskr committed Oct 12, 2010
@@ -11,14 +11,14 @@
<% executions.forEach(function(execution) { %>
<tr>
<td>
- <%= h(execution.name()) %>
+ <%= execution.name() %>
</td>
<td>
- <%= h(execution.description()) %>
+ <%= execution.description() %>
</td>
<td>
<a href="/executions/<%= execution._id %>/edit">Edit</a>
- <%= postLink({href: '/executions/' + execution._id + '/delete',
+ <%h postLink({href: '/executions/' + execution._id + '/delete',
onclick: "if(!window.confirm('Are you sure?')) return false;",
text: 'Delete'}) %>
</td>
@@ -5,21 +5,21 @@
<p />
<label for="description">Typing:</label>
-<%= booleanCheckbox({name: 'language.static', state: language.static()}) %> Static
-<%= booleanCheckbox({name: 'language.dynamic', state: language.dynamic()}) %> Dynamic
+<%h booleanCheckbox({name: 'language.static', state: language.static()}) %> Static
+<%h booleanCheckbox({name: 'language.dynamic', state: language.dynamic()}) %> Dynamic
<span style="color: red"><%= error(language, 'typing') %></span>
<p />
<label for="execution">Execution Environment:</label>
-<%= collectionSelect({name: 'language.executionId', id:'execution', items: executions, value: language.executionId(),
+<%h collectionSelect({name: 'language.executionId', id:'execution', items: executions, value: language.executionId(),
valueProp: 'id', labelProp: 'name', prompt: '-- Select --'}) %>
<span style="color: red"><%= error(language, 'executionId', locale) %></span>
<p />
<label for="paradigms">Paradigms:</label>
-<%= collectionSelect({name: 'language.*paradigmIds', id:'paradigms', items: paradigms, value: language.paradigmIds(),
+<%h collectionSelect({name: 'language.*paradigmIds', id:'paradigms', items: paradigms, value: language.paradigmIds(),
valueProp: 'id', labelProp: 'name', size: 4, multiple: 'multiple'}) %>
<span style="color: red"><%= error(language, 'paradigmIds', locale) %></span>
@@ -12,13 +12,13 @@
<% languages.forEach(function(language) { %>
<tr>
<td>
- <%= h(language.name()) %>
+ <%= language.name() %>
</td>
<td><%= language.static() ? 'Yes' : 'No' %></td>
<td><%= language.dynamic() ? 'Yes' : 'No' %></td>
<td>
<a href="/languages/<%= language._id %>/edit">Edit</a>
- <%= postLink({href: '/languages/' + language._id + '/delete',
+ <%h postLink({href: '/languages/' + language._id + '/delete',
onclick: "if(!window.confirm('Are you sure?')) return false;",
text: 'Delete'}) %>
</td>
@@ -11,14 +11,14 @@
<% paradigms.forEach(function(paradigm) { %>
<tr>
<td>
- <%= h(paradigm.name()) %>
+ <%= paradigm.name() %>
</td>
<td>
- <%= h(paradigm.description()) %>
+ <%= paradigm.description() %>
</td>
<td>
<a href="/paradigms/<%= paradigm._id %>/edit">Edit</a>
- <%= postLink({href: '/paradigms/' + paradigm._id + '/delete',
+ <%h postLink({href: '/paradigms/' + paradigm._id + '/delete',
onclick: "if(!window.confirm('Are you sure?')) return false;",
text: 'Delete'}) %>
</td>
@@ -14,7 +14,7 @@ <h1>Current Cookies</h1>
<table>
<% for(cookie in cookies) { %>
<tr>
- <td style="font-weight: bold"><%= h(cookie) %>: </td><td><%= h(cookies[cookie]) %></td>
+ <td style="font-weight: bold"><%= cookie %>: </td><td><%= cookies[cookie] %></td>
</tr>
<% } %>
</table>
@@ -3,7 +3,7 @@
<title>Welcome</title>
</head>
<body>
- <h1>Welcome, <%= h(user) %>!</h1>
+ <h1>Welcome, <%= user %>!</h1>
<a href="/logout">Logout</a>
</body>
</html>
@@ -1,7 +1,7 @@
<h1>Real-time Results for "<%= searchTags %>"</h1>
<ul id="itemsList">
<% items.forEach(function(item) { %>
- <li><%= h(item.name()) %></li>
+ <li><%= item.name() %></li>
<% }); %>
</ul>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
@@ -3,7 +3,7 @@
<title>Welcome</title>
</head>
<body>
- <h1>Welcome, <%= h(user) %>!</h1>
+ <h1>Welcome, <%= user %>!</h1>
<a href="/logout">Logout</a>
</body>
</html>
@@ -1,6 +1,6 @@
<% if(shout.errors) { %>
<p class="error">
- <%= errors(shout).join('</p><p class="error">') %>
+ <%h errors(shout).join('</p><p class="error">') %>
</p>
<% } %>
<% if(flash['success']) { %>
@@ -13,10 +13,10 @@
<div class="meta">
<img src="http://www.gravatar.com/avatar/<%= shout.mailHash() %>"
alt="Gravatar" />
- <p><%= h(shout.name()) %></p>
+ <p><%= shout.name() %></p>
</div>
<div class="shout">
- <p><%= h(shout.message()) %></p>
+ <p><%= shout.message() %></p>
</div>
</li>
<% }); %>
@@ -3,7 +3,7 @@
<title>Upload Result</title>
</head>
<body>
- <h1>Thanks, <%= h(name) %>!</h1>
+ <h1>Thanks, <%= name %>!</h1>
<h2>Uploaded successfully!</h2>
</body>
</html>
@@ -3,6 +3,6 @@
<title>Template Sample</title>
</head>
<body>
- <h1>Welcome, <%= h(name) %>!</h1>
+ <h1>Welcome, <%= name %>!</h1>
</body>
</html>
View
@@ -66,6 +66,13 @@ function compile(text, helpersCount) {
if(part.indexOf("%>") == -1) {
funcBody += "out.write('" + escapeCode(part) + "');";
} else if(part.charAt(0) == '=') {
+ var subParts = part.split('%>');
+ funcBody += "out.write(escapeHTML(" + subParts[0].substring(1)
+ + "));";
+ if(subParts.length > 1) {
+ funcBody += "out.write('" + escapeCode(subParts[1]) + "');";
+ }
+ } else if(part.charAt(0) == 'h') {
var subParts = part.split('%>');
funcBody += "out.write(" + subParts[0].substring(1) + ");";
if(subParts.length > 1) {
@@ -148,7 +148,7 @@ exports.collectionSelect = function(attribs) {
return tag + '\n' + endTag('select');
};
-exports.h = function(html) {
+exports.escapeHTML = function(html) {
if(html) {
return html.
replace(/&/gmi, '&amp;').
@@ -0,0 +1 @@
+<%= '<b>ABC</b>' %>
@@ -1,3 +1,3 @@
<li>
-<%= items.join('</li>\n<li>') %>
+<%h items.join('</li>\n<li>') %>
</li>
View
@@ -38,5 +38,13 @@ exports.tests = {
assert.equal(response.out, '<li>\nA</li>\n<li>B</li>\n<li>C\n</li>\n');
assert.ok(response.ended);
next();
+ },
+
+ 'Template with escaped HTML.': function(next) {
+ var response = new MockResponse();
+ ghp.fill('./fixtures/ghp/escaped_html.txt', response, {}, 'utf8', './fixtures/ghp', 'txt');
+ assert.equal(response.out, '&lt;b&gt;ABC&lt;/b&gt;\n');
+ assert.ok(response.ended);
+ next();
}
};
View
@@ -49,7 +49,7 @@ exports.tests = {
},
'HTML escape.': function(next) {
- var result = helpers.h('Hello, <i>Chandru</i>!');
+ var result = helpers.escapeHTML('Hello, <i>Chandru</i>!');
assert.equal(result, 'Hello, &lt;i&gt;Chandru&lt;/i&gt;!');
next();
}

0 comments on commit e7cf774

Please sign in to comment.