Escaping for EJS templates, opt out.

geddy · Dec 10, 2011 · 2cd6ab3 · 2cd6ab3
1 parent 0ecd7bb
commit 2cd6ab3
Showing 1 changed file with 22 additions and 11 deletions.
diff --git a/lib/template/adapters/ejs/template.js b/lib/template/adapters/ejs/template.js
@@ -16,7 +16,8 @@
  *
 */
 
-var ejs = {};
+var utils = require('../../../utils')
+  , ejs = {};
 
 ejs.Template = function (p) {
   var UNDEF;
@@ -41,13 +42,14 @@ ejs.Template = function (p) {
 };
 
 ejs.Template.prototype = new function () {
-  var _REGEX = /(<%%)|(%%>)|(<%=)|(<%#)|(<%)|(%>\n)|(%>)|(\n)/;
+  var _REGEX = /(<%%)|(%%>)|(<%=)|(<%-)|(<%#)|(<%)|(%>\n)|(%>)|(\n)/;
   this.modes = {
-    EVAL: 'eval',
-    OUTPUT: 'output',
-    APPEND: 'append',
-    COMMENT: 'comment',
-    LITERAL: 'literal'
+    EVAL: 'eval'
+  , ESCAPED: 'escaped'
+  , RAW: 'raw'
+  , APPEND: 'append'
+  , COMMENT: 'comment'
+  , LITERAL: 'literal'
   };
   this.getTemplateTextFromNode = function (node) {
     // Requires the fleegix.xhr module
@@ -118,13 +120,13 @@ ejs.Template.prototype = new function () {
     // Cache/reuse the generated template source for speed
     this.source = this.source || '';
     if (!this.source) { this.generateSource(); }
-    
+
     // Eval the template with the passed data
     // Use 'with' to give local scoping to data obj props
     // ========================
     var _output = ''; // Inner scope var for eval output
     with (this.data) {
-      eval(this.source); 
+      eval(this.source);
     }
     this.markup = _output;
 
@@ -178,7 +180,10 @@ ejs.Template.prototype = new function () {
         this.mode = this.modes.EVAL;
         break;
       case '<%=':
-        this.mode = this.modes.OUTPUT;
+        this.mode = this.modes.ESCAPED;
+        break;
+      case '<%-':
+        this.mode = this.modes.RAW;
         break;
       case '<%#':
         this.mode = this.modes.COMMENT;
@@ -202,8 +207,14 @@ ejs.Template.prototype = new function () {
             case this.modes.EVAL:
               this.source += line;
               break;
+            // Exec, esc, and output
+            case this.modes.ESCAPED:
+              // Add the exec'd, escaped result to the output
+              this.source += '_output += utils.string.escapeXML(' +
+                  line.replace(/;\S*/, '') + ');';
+              break;
             // Exec and output
-            case this.modes.OUTPUT:
+            case this.modes.RAW:
               // Add the exec'd result to the output
               this.source += '_output += ' + line + ';';
               break;