Including a <script> tag in a template? #531
Comments
|
You need to add them dynamically, i.e. https://gist.github.com/jeremiahlee/1748966 |
|
I'm new here but I would think that precompiling your templates could solve the issue! |
|
I'm not sure what is breaking for you but on the escaping side,I think this all depends on how the templates are being defined. I would recommend the dynamic approach as |
|
@kpdecker The problem is pretty simple. We use I'll try the compile option, if that's the only option, but that seems a bit like an overkill:/ |
|
Precompiling is generally recommended as it can provide performance benefits (at the expense of requiring a build step). This is a total hack but you might be able to do something like: To work around the HTML parser's behavior here, but that feels like a total hack. |
|
On the handlebars language side we should look how how to escape content generically. |
|
So, I eventually went with templates compilation... but that's still nto good, as it looks like, even though the |
|
If the script elements are in the DOM on final render but not executed then you may very well have to perform manual loading which is outside of the scope of handlebars. This is "here be dragons" from my experience on the subject (granted this was years ago) |
|
I though this could be solvable by a helper of such kind: http://codepen.io/emirotin/pen/rksCx |
|
After thinking about this again, I think that this is a relatively uncommon use case. Rather than creating an additional language construct for this, I've added documentation to the FAQ section highlighting the ability to use a comment to break up this construct when used in an inline template and urging users to use precompiled templates when possible. |
|
Can't you just escape the scripts like this? Probably not very secure though... ` <script src="script1.js"><{{!}}/script> ` ` <script src="script2.js"><{{!}}/script> ` |
|
santafebound You are Genious! |
|
@letsrock85 may I recommend, that you precompile your templates? You avoid such problems altogehter and get a better performance. |
|
@nknapp Just to clarify, precompiling templates does not fix this. The script tag is embedded in the DOM, but it is not executed. |
|
@nevercast Handlebars just computes the string that contains the script. What you do with the string is up to you. You can insert it into the DOM, but that does not execute the scripts. That is correct. For solutions, see https://stackoverflow.com/questions/4619668/executing-script-inside-div-retrieved-by-ajax |
|
Thanks @nknapp, I ended up defining my own script type. |
When having e.g. a markdown-based section in a document where you
reference another document, a HTML-link is generated. However when
previewing changes, the raw HTML is shown.
With setting `html: true` in the configuration for `markdownit`[1],
HTML is detected and properly parsed (Also markup tags such as `<h1>`
are rendered properly just like when using `blackfriday` to request a rendered
section).
Regarding probably harmful side-effects: setting e.g. `<style>* { display:
none !important; }</style>` causes a white page with `markdownit` as
well as with `blackfriday`. `<script>` tags aren't affected since
`handlebars` mostly breaks with `<script>` tags within variables that
are substituted using `{{{var}}}` into the DOM[3].
Please note that I didn't commit the modifications in `embed/bindata.go`
as it seemed to me after looking at the history that those updates are
only done when preparing a release.
[1] https://github.com/markdown-it/markdown-it/blob/1ad3aec2041cd2defa7e299543cc1e42184b680d/lib/presets/default.js#L6-L9
[2] https://github.com/documize/blackfriday/blob/master/markdown.go#L105-L146
[3] handlebars-lang/handlebars.js#531
We're trying to include a couple gists in our content, but obviously adding
<script src="https://gist.github.com/4332573.js"/></script>in a handlebar template breaks it.Is there a way to "escape" the script tags?
The text was updated successfully, but these errors were encountered: