[stringtemplate-interest] HTML escaping
Florian Weimer
fw at deneb.enyo.de
Sat Mar 1 03:08:42 PST 2008
* Roman Odaisky:
> The manual says one should use renderers for escaping. That makes sense for
> applications that generate SQL, or C, but how does one use ST for JS embedded
> in HTML? <b>hello $user$</b> and alert("hello $user$") need different
> escaping, and the possible presence of <![CDATA[ complicates things further.
I guess you have to use separate templates for Javascript and HTML.
Then you render the Javascript code to a string, and include it in the
HTML. Since it's not permitted to use proper HTML escaping inside
<script>...</script> tags, it might be a better idea to put the
Javascript into a separate file (but this might result in security
issues if it contains private data, so you need to be careful). Lexing
the generated Javascript and rewriting string literals and comments
containing offending strings could be another option.
More information about the stringtemplate-interest
mailing list