non-escaped interpolation inside a string broken

[jescalan]

Illustrated below:

a(href="#{url}") link title //- evaluates the url variable correctly
a(href="!{url}") link title //- does not interpolate at all

[ForbesLindesay]

The correct syntax is:

a(href="#!{url}") link title

[jescalan]

ssssssnap! 💣 - thanks and sorry for missing that!

[jescalan]

Just kidding, this still doesn't work. Just tested it with the exact code sample you provided above in a blank jade file and it was not interpolated.

[jescalan]

Any word on this one? I could try to jump in and get a pull request to fix this but I'm not super familiar with the jade codebase - any guidance would be helpful 🐸

[ForbesLindesay]

Ah, having spent a bit more time looking at this (and understanding more of the code base myself) this is still the expected behavior.

Consider:

a(href='#{domain}/' + somethingIDontTrust) link title

In order to be safe, the entire attribute must be escaped. The interpolation itself isn't escaped at all, meaning that all you need to do to get un-escaped interpolation in attributes is:

a(href!='#{url}') title

The code where the interpolation happens is here but escaping is done very separately.

[jescalan]

Perfect, this works great. Thanks @ForbesLindesay