[stringtemplate-interest] HTML escaping
Colin Bean
ccbean at gmail.com
Fri Jan 18 14:49:19 PST 2008
Hi Roman,
Haven't tested this yet, but I *think* you could have your HTML
templates in one StringTemplateGroup, your javascript templates in a
second group, and register different renderers per group. Might also
work with subclassed groups? If you don't mind this architecture for
your templates, this is the easiest way I can think of.
Colin
On Jan 18, 2008 2:10 PM, Roman Odaisky <roma at qwertty.com> wrote:
> On Friday, 18.01.2008 23:55:43 Terence Parr wrote:
>
> > > The manual says one should use renderers for escaping. That makes
> > > sense for
> > > applications that generate SQL, or C, but how does one use ST for JS
> > > embedded
> > > in HTML? <b>hello $user$</b> and alert("hello $user$") need different
> > > escaping, and the possible presence of <![CDATA[ complicates things
> > > further.
> >
> > Hi. You can use \$ to escape the $ which usually takes care of it even
> > in CDATA. ST translates to $.
>
> Thanks for such a quick response, but it seems you misunderstood me. I want to
> escape the value of the variable, which can contain quotation marks,
> apostrophes, ampersands and such. The thing is, that has to be done
> differently for HTML and JS. In HTML, < must become < while in JS (which
> is inside a CDATA most of time) that is incorrect, but instead " must become
> \".
>
> Suppose I tell the designer that the "user" variable contains the name of the
> user. He can embed that into HTML as $user$, but has no way to reference the
> variable safely from JS (an XSS possibility arises).
>
> How can one specify more than one rendering option for a variable?
>
> WBR, Roman.
>
> _______________________________________________
> stringtemplate-interest mailing list
> stringtemplate-interest at antlr.org
> http://www.antlr.org:8080/mailman/listinfo/stringtemplate-interest
>
More information about the stringtemplate-interest
mailing list