Qute - escape expressions in HTML by default #6194
Conversation
|
I would lean towards including that one into 1.1. I'm not very happy to release a templating engine without default escaping. WDYT? Any chance you could add some documentation about this behavior? |
I thought that 1.1 is released already ;-). If it's easy to backport (and I believe it should be because we did not change in Qute since 1.1 code freeze) then +1.
+1, I'll mention this in the docs. |
extensions/qute/runtime/src/main/java/io/quarkus/qute/runtime/VariantTemplateProducer.java
Outdated
Show resolved
Hide resolved
independent-projects/qute/core/src/main/java/io/quarkus/qute/Escaper.java
Show resolved
Hide resolved
|
Hm, I've been thinking about the implementation and it's very likely not correct. The I'll need to change the default |
independent-projects/qute/core/src/main/java/io/quarkus/qute/Escaper.java
Show resolved
Hide resolved
- resolves quarkusio#6155 - API changes: - introduce TemplateLocator - add Template#getVariant()
| builder.addValueResolver(ValueResolvers.rawResolver()); | ||
|
|
||
| // Escape some characters for HTML templates | ||
| Escaper htmlEscaper = Escaper.builder().add('"', """).add('\'', "'") |
There was a problem hiding this comment.
https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#Predefined_entities_in_XML says ' is available for both xml and html.
| @Override | ||
| public boolean appliesTo(Origin origin, Object result) { | ||
| return !(result instanceof RawString) | ||
| && origin.getVariant().filter(EngineProducer::requiresDefaultEscaping).isPresent(); |
There was a problem hiding this comment.
I'm guessing in the future we'll need to turn this into an SPI for custom escaping of other variant content types. But it can wait.
There was a problem hiding this comment.
+1 for proper SPI... in the furure ;-).
| // Escape some characters for HTML templates | ||
| Escaper htmlEscaper = Escaper.builder().add('"', """).add('\'', "'") | ||
| .add('&', "&").add('<', "<").add('>', ">").build(); | ||
| builder.addResultMapper(new ResultMapper() { |
There was a problem hiding this comment.
Are we sure it's the last mapper? I don't think users should be able to register mappers after this one, no?
There was a problem hiding this comment.
Mappers with higher priority are tried first. So if a user wants to map some object then the priority should be > io.quarkus.qute.WithPriority.DEFAULT_PRIORITY.
| } else if (suffix.equalsIgnoreCase(".json")) { | ||
| return "application/json"; | ||
| return Variant.APPLICATION_JSON; |
There was a problem hiding this comment.
We support JSON but I didn't see any escaper for JSON.
There was a problem hiding this comment.
Well, actually we don't support JSON ATM ;-). TBD
|
|
||
| public final static String TEXT_HTML = "text/html"; | ||
| public final static String TEXT_PLAIN = "text/plain"; | ||
| public final static String TEXT_XML = "text/xml"; |
There was a problem hiding this comment.
Note that XML can be application/xml in many cases, but I don't think it matters here. https://www.ietf.org/rfc/rfc2376.txt
There was a problem hiding this comment.
Yes, I know. But in our case we guess the content type from a file suffix and set always text/xml for *.xml templates.
| } | ||
|
|
||
| @Test | ||
| public void testRawStringRevolver() { |
There was a problem hiding this comment.
| public void testRawStringRevolver() { | |
| public void testRawStringResolver() { |
There was a problem hiding this comment.
I may be blind but what's the suggested change?
There was a problem hiding this comment.
Ok, it's confirmed. I'm blind...
There was a problem hiding this comment.
Most beautiful typo I've seen so far :)
There was a problem hiding this comment.
I'm very good at typos!
independent-projects/qute/core/src/main/java/io/quarkus/qute/TemplateLocator.java
Show resolved
Hide resolved
|
Let's get moving, we can adjust later but we need at least some escaping in 1.1. |
What this PR does?
',",<,>and&are escaped by defaultrawandsafeextension methods for String to "unescape" the value; ie.{foo.myString.raw}RawStringis never escapedTemplatenow has an optionalVariant