The HTML spec defines <style> and <script> as 'raw text elements', meaning that escapes in their bodies are not processed (hence, e.g., span:before { content: "Hello!" } cannot be escaped to span:before { content: "Hello!" } - try it in a browser if you don't believe me).
This is a potential footgun with maud: the path of less resistance, letting maud do the escaping, means that the scripts and styles get mangled; however, naively using PreEscaped could theoretically introduce an XSS vulnerability because then there's no check for an errant </.
This is related to #88. I'm afraid that the HTML syntax is so complicated that there's no way to avoid a certain amount of context-awareness here. I don't know what the ideal API looks like, or even if maud can do much better, but at the very least the docs should point out the footgun here.
The HTML spec defines
<style>and<script>as 'raw text elements', meaning that escapes in their bodies are not processed (hence, e.g.,span:before { content: "Hello!" }cannot be escaped tospan:before { content: "Hello!" }- try it in a browser if you don't believe me).This is a potential footgun with
maud: the path of less resistance, lettingmauddo the escaping, means that the scripts and styles get mangled; however, naively usingPreEscapedcould theoretically introduce an XSS vulnerability because then there's no check for an errant</.This is related to #88. I'm afraid that the HTML syntax is so complicated that there's no way to avoid a certain amount of context-awareness here. I don't know what the ideal API looks like, or even if
maudcan do much better, but at the very least the docs should point out the footgun here.