-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
non-escaped interpolation inside a string broken #1028
Comments
The correct syntax is: a(href="#!{url}") link title |
ssssssnap! 💣 - thanks and sorry for missing that! |
Just kidding, this still doesn't work. Just tested it with the exact code sample you provided above in a blank jade file and it was not interpolated. |
Any word on this one? I could try to jump in and get a pull request to fix this but I'm not super familiar with the jade codebase - any guidance would be helpful 🐸 |
Ah, having spent a bit more time looking at this (and understanding more of the code base myself) this is still the expected behavior. Consider: a(href='#{domain}/' + somethingIDontTrust) link title In order to be safe, the entire attribute must be escaped. The interpolation itself isn't escaped at all, meaning that all you need to do to get un-escaped interpolation in attributes is: a(href!='#{url}') title The code where the interpolation happens is here but escaping is done very separately. |
Perfect, this works great. Thanks @ForbesLindesay |
Illustrated below:
The text was updated successfully, but these errors were encountered: