Added in default encoding and new raw prop. #24
Conversation
The default encoding for properties will be be encoded to help alleviate
issues arising from XSS attacks.
If you wish to avoid this inconvience in your code, you can use the new
triple curley bracket notation to render the raw property:
{{{ rawProperty }}}
|
Finally :) |
Added in default encoding and new raw prop.
| } | ||
|
|
||
| // Identifies all characters in the unicode range: 00A0-9999, ampersands, | ||
| // greater & less than) with their respective html entity. |
There was a problem hiding this comment.
If you just want to escape unsafe characters, just escaping &, <, ", ', and possibly > and ``` (if you want to support unquoted attribute values and HTML comments) is enough for HTML contexts. This is what _.escape and `he.escape()` do, btw.
If you want to encode all non-ASCII symbols as well, use something like he.encode().
What you’re doing now seems like something in between. What is the goal exactly?
There was a problem hiding this comment.
Note that the current approach returns incorrect results because it doesn’t account for http://www.whatwg.org/specs/web-apps/current-work/multipage/tokenization.html#table-charref-overrides.
(It leaves astral symbols/surrogates alone as the range doesn’t match them; so it bypasses that issue.)
Posted some more info here: http://stackoverflow.com/a/23831239/96656
The default encoding for properties will be be encoded to help alleviate
issues arising from XSS attacks.
If you wish to avoid this inconvience in your code, you can use the new
triple curley bracket notation to render the raw property: