Escape ampersand and single quote? #3

escholtz · 2016-04-05T07:42:35Z

Looks like the escaper in the html package escapes single quotes:
https://golang.org/src/html/escape.go?s=3992:4005#L172

It appears that quicktemplate does not. Is that safe?

valyala · 2016-04-05T08:05:27Z

quicktemplate should escape single quotes - see the corresponding code and this test.

Could you provide a short quicktemplate example, which doesn't escape single quote?

escholtz · 2016-04-05T08:34:26Z

Ooops, you are correct. Thanks for the quick response and sorry for wasting your time.

On 2nd glance, looks like the html package also remaps & to &. Does that need to be added?

Test:

{% func TestEscapeAmpersand() %}
  {%s "&" %}
{% endfunc %}

valyala · 2016-04-05T10:32:36Z

looks like the html package also remaps & to &. Does that need to be added?

Yes! Fixed it!

valyala added bug question labels Apr 5, 2016

valyala added a commit that referenced this issue Apr 5, 2016

Issue #3: html-escape '&' to '&'

ebfb475

valyala changed the title ~~Escape single quote?~~ Escape ampersand and single quote? Apr 5, 2016

valyala closed this as completed Apr 5, 2016

valyala added a commit to Vertamedia/quicktemplate that referenced this issue Apr 6, 2016

attempt valyala#3 to fix travis tests

560e05a

Provide feedback