[stringtemplate-interest] HTML escaping
Terence Parr
parrt at cs.usfca.edu
Fri Jan 18 17:44:21 PST 2008
On Jan 18, 2008, at 2:10 PM, Roman Odaisky wrote:
> On Friday, 18.01.2008 23:55:43 Terence Parr wrote:
>
>>> The manual says one should use renderers for escaping. That makes
>>> sense for
>>> applications that generate SQL, or C, but how does one use ST for JS
>>> embedded
>>> in HTML? <b>hello $user$</b> and alert("hello $user$") need
>>> different
>>> escaping, and the possible presence of <![CDATA[ complicates things
>>> further.
>>
>> Hi. You can use \$ to escape the $ which usually takes care of it
>> even
>> in CDATA. ST translates to $.
>
> Thanks for such a quick response, but it seems you misunderstood me.
> I want to
> escape the value of the variable, which can contain quotation marks,
> apostrophes, ampersands and such. The thing is, that has to be done
> differently for HTML and JS. In HTML, < must become < while in JS
> (which
> is inside a CDATA most of time) that is incorrect, but instead "
> must become
> \".
ah. sorry. yep, you just need a renderer object. Wrap all of these
attributes with a renderer and then use
$attribute; format="escapeHTML"$
or
$mydata; format="verbose"$
or, if all strings must be escaped, just wrap in object whose
toString() does right thing.
See all my papers on this; e..g, ICWE paper.
> Suppose I tell the designer that the “user” variable contains the
> name of the
> user. He can embed that into HTML as $user$, but has no way to
> reference the
> variable safely from JS (an XSS possibility arises).
you'll need the format option.
> How can one specify more than one rendering option for a variable?
format option :)
Ter
More information about the stringtemplate-interest
mailing list