Tempo has no HTML entity escaping #51
Comments
|
Yes I agree with this approach. |
ghost
assigned
|
Fixed in 2.0 with escape, encodeURI/decodeURI functions. |
|
It looks like to me this doesn't escape data by default, but instead requires the inserted text to be escaped explicitly. This is in my opinion the wrong move, as I think many developers inserting data into their templates wouldn't expect to shoot themselves in the foot by doing so. |
|
Yeah I wasn't sure on that one - too me it's a bit heavy handed to escape by default? I'm open to default - are there not cases where you would want it in clear? |
|
I'm just thinking, what if you've got URLs in the data? You can not reliable "unescape" them I think? |
|
Exactly, you'd need to introduce some sort of new syntax. Or, alternatively, you could make the unescape function do something like this: unescape: function (input) {
input.tempoDoNotEscape = true;
}and then later on, when you're getting ready to output the variables, escape all strings that don't have that property on them. |
|
I think I've cracked it Aaron. All values are escaped by default. To disable automatic escaping pass in the 'escape': false parameter: If you disable escaping you can control this at individual value level using the escape and encodeURI filters. |
|
Fixed in 2.0, see http://tempojs.com/2.0/ |
Here's a jsfiddle demonstrating the issue:
http://jsfiddle.net/EtkRL/
Should we escape HTML entities by default starting in 2.0? This would be a "secure by default" approach. Then provide an unescape filter that allows inserting HTML entities in the page.
Alternatively, provide an escape filter and leave stuff unescaped by default.
The text was updated successfully, but these errors were encountered: