Quotes are not escaped #79

Closed
phihag opened this Issue Jan 9, 2012 · 4 comments

Comments

Projects
None yet
2 participants

phihag commented Jan 9, 2012

This may be an error in mustache, or a misconception of mine, but why are quotes (in attribute values, but optionally everywhere else too) not escaped?

>>> import pystache
>>> pystache.render(u'<div title="{{title}}">Hover</div>', {'title': u'The "mustache" library'})
u'<div title="The "mustache" library">Hover</div>'

I expected

u'<div title="The &quot;mustache&quot; library">Hover</div>'

which matches the output (sans u, of course) I get from mustache.js.

Collaborator

cjerdonek commented Jan 9, 2012

Thanks for the report. This is a known issue (issue #67) that has been fixed in the development branch. Hopefully we'll be releasing that in the not-too-distant future. In the meantime, if you're using what's in master, I believe things should work as you expect if you install markupsafe (the version in master uses markupsafe's escape if markupsafe is available).

@phihag phihag closed this Jan 9, 2012

phihag commented Jan 9, 2012

Since I modify pystache anyways (to get it running under Python 3), I just patched in the fix:

diff --git a/pystache/template.py b/pystache/template.py
index 563d830..a5ee092 100644
--- a/pystache/template.py
+++ b/pystache/template.py
@@ -13 +13 @@ except ImportError:
-    escape = lambda x: cgi.escape(unicode(x))
+    escape = lambda x: cgi.escape(unicode(x), quote=True)

With this change, quotes are correctly escaped.

Collaborator

cjerdonek commented Jan 9, 2012

Great!

Collaborator

cjerdonek commented Apr 24, 2012

FYI, I'm just about to release a new version of Pystache (v0.5.1, just pushed to master) with official support for Python 3. If you're still using Pystache, I'd love for you to try it out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment