[stringtemplate-interest] HTML escaping
Roman Odaisky
roma at qwertty.com
Fri Jan 18 14:10:38 PST 2008
On Friday, 18.01.2008 23:55:43 Terence Parr wrote:
> > The manual says one should use renderers for escaping. That makes
> > sense for
> > applications that generate SQL, or C, but how does one use ST for JS
> > embedded
> > in HTML? <b>hello $user$</b> and alert("hello $user$") need different
> > escaping, and the possible presence of <![CDATA[ complicates things
> > further.
>
> Hi. You can use \$ to escape the $ which usually takes care of it even
> in CDATA. ST translates to $.
Thanks for such a quick response, but it seems you misunderstood me. I want to
escape the value of the variable, which can contain quotation marks,
apostrophes, ampersands and such. The thing is, that has to be done
differently for HTML and JS. In HTML, < must become < while in JS (which
is inside a CDATA most of time) that is incorrect, but instead " must become
\".
Suppose I tell the designer that the “user” variable contains the name of the
user. He can embed that into HTML as $user$, but has no way to reference the
variable safely from JS (an XSS possibility arises).
How can one specify more than one rendering option for a variable?
WBR, Roman.
More information about the stringtemplate-interest
mailing list