This repository has been archived by the owner on Jun 10, 2018. It is now read-only.
/
escaping.md.eco
52 lines (35 loc) · 1.58 KB
/
escaping.md.eco
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
## Escaping and unescaping
When you print an expression in a template with `<%%= ... %>`, its
value is HTML-escaped. For example,
eco.render "<%%= @description %>",
description: "<strong>HTML 5</strong> mobile app"
would render:
<strong>HTML 5</strong> mobile app
You can use the `<%%- ... %>` tag to print the value of an expression
without escaping it. So this code:
eco.render "<%%- @description %>",
description: "<strong>HTML 5</strong> mobile app"
would produce:
<strong>HTML 5</strong> mobile app
It is sometimes useful to generate markup in helper methods. The
special `safe` method on the context object tells Eco that the string
can be printed in `<%%= ... %>` tags without being escaped. You can use
this in conjunction with the context object's `escape` method to
selectively sanitize parts of the string. For example,
eco.render "<%%= linkTo @project %>",
project: { id: 4, name: "Crate & Barrel" }
linkTo: (project) ->
url = "/projects/#{project.id}"
name = @escape project.name
@safe "<a href='#{url}'>#{name}</a>"
would render:
<a href='/projects/4'>Crate & Barrel</a>
## Custom escape helpers
By default, Eco's `escape` method takes a string and returns an
HTML-escaped string. You can override this behavior to escape for
formats other than HTML, or to bypass escaping entirely. For example,
eco.render "From: <%%= @address %>",
address: "Sam Stephenson <sstephenson@gmail.com>"
escape: (string) -> string
would return:
From: Sam Stephenson <sstephenson@gmail.com>