New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Qute - escape expressions in HTML by default #6194
Conversation
I would lean towards including that one into 1.1. I'm not very happy to release a templating engine without default escaping. WDYT? Any chance you could add some documentation about this behavior? |
I thought that 1.1 is released already ;-). If it's easy to backport (and I believe it should be because we did not change in Qute since 1.1 code freeze) then +1.
+1, I'll mention this in the docs. |
extensions/qute/runtime/src/main/java/io/quarkus/qute/runtime/VariantTemplateProducer.java
Outdated
Show resolved
Hide resolved
independent-projects/qute/core/src/main/java/io/quarkus/qute/Escaper.java
Show resolved
Hide resolved
Hm, I've been thinking about the implementation and it's very likely not correct. The I'll need to change the default |
independent-projects/qute/core/src/main/java/io/quarkus/qute/Escaper.java
Show resolved
Hide resolved
- resolves quarkusio#6155 - API changes: - introduce TemplateLocator - add Template#getVariant()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
builder.addValueResolver(ValueResolvers.rawResolver()); | ||
|
||
// Escape some characters for HTML templates | ||
Escaper htmlEscaper = Escaper.builder().add('"', """).add('\'', "'") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#Predefined_entities_in_XML says '
is available for both xml and html.
@Override | ||
public boolean appliesTo(Origin origin, Object result) { | ||
return !(result instanceof RawString) | ||
&& origin.getVariant().filter(EngineProducer::requiresDefaultEscaping).isPresent(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm guessing in the future we'll need to turn this into an SPI for custom escaping of other variant content types. But it can wait.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 for proper SPI... in the furure ;-).
// Escape some characters for HTML templates | ||
Escaper htmlEscaper = Escaper.builder().add('"', """).add('\'', "'") | ||
.add('&', "&").add('<', "<").add('>', ">").build(); | ||
builder.addResultMapper(new ResultMapper() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we sure it's the last mapper? I don't think users should be able to register mappers after this one, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mappers with higher priority are tried first. So if a user wants to map some object then the priority should be > io.quarkus.qute.WithPriority.DEFAULT_PRIORITY
.
} else if (suffix.equalsIgnoreCase(".json")) { | ||
return "application/json"; | ||
return Variant.APPLICATION_JSON; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We support JSON but I didn't see any escaper for JSON.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, actually we don't support JSON ATM ;-). TBD
|
||
public final static String TEXT_HTML = "text/html"; | ||
public final static String TEXT_PLAIN = "text/plain"; | ||
public final static String TEXT_XML = "text/xml"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that XML can be application/xml
in many cases, but I don't think it matters here. https://www.ietf.org/rfc/rfc2376.txt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I know. But in our case we guess the content type from a file suffix and set always text/xml
for *.xml
templates.
} | ||
|
||
@Test | ||
public void testRawStringRevolver() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
public void testRawStringRevolver() { | |
public void testRawStringResolver() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I may be blind but what's the suggested change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Revolver != resolver 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, it's confirmed. I'm blind...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most beautiful typo I've seen so far :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm very good at typos!
independent-projects/qute/core/src/main/java/io/quarkus/qute/TemplateLocator.java
Show resolved
Hide resolved
Let's get moving, we can adjust later but we need at least some escaping in 1.1. |
What this PR does?
'
,"
,<
,>
and&
are escaped by defaultraw
andsafe
extension methods for String to "unescape" the value; ie.{foo.myString.raw}
RawString
is never escapedTemplate
now has an optionalVariant