[stringtemplate-interest] HTML escaping
John Snyders
jjsnyders at rcn.com
Thu Mar 20 19:16:10 PDT 2008
This may be of interest to you
http://hardlikesoftware.com/weblog/2008/02/15/script-injection-and-stringtemplate/
Just some thoughts. The current best answer is what Terence already
said; use a format option/renderer.
-John
Roman Odaisky wrote:
> Greetings,
>
> I’m looking for a template engine for a future Web project. I really like the
> strict philosophy of StringTemplate, but could you please explain one thing:
>
> The manual says one should use renderers for escaping. That makes sense for
> applications that generate SQL, or C, but how does one use ST for JS embedded
> in HTML? <b>hello $user$</b> and alert("hello $user$") need different
> escaping, and the possible presence of <![CDATA[ complicates things further.
>
> WBR, Roman.
> _______________________________________________
> stringtemplate-interest mailing list
> stringtemplate-interest at antlr.org
> http://www.antlr.org:8080/mailman/listinfo/stringtemplate-interest
>
More information about the stringtemplate-interest
mailing list