[stringtemplate-interest] HTML escaping

Christopher Brown chris77550 at gmail.com
Fri Mar 21 01:50:16 PDT 2008 

I'd just like to take this opportunity to thank those involved in
releasing the ST#3.1 beta, which now has the "format" option and which
is useful for exactly this sort of thing (avoiding script injection).

Incidentally, on the subject of registering formatters (on the C#
version), I can't register a formatter by interface, which is a shame.
 I have three classes that implement "ITranslated", so I had to write
this :

// can't register attribute renderer for interfaces :-(
TranslationRenderer translationRenderer = new
TranslationRenderer(_engine, _localeProvider);
template.RegisterAttributeRenderer(typeof(LmsPath), translationRenderer);
template.RegisterAttributeRenderer(typeof(LmsModule), translationRenderer);
template.RegisterAttributeRenderer(typeof(Discipline), translationRenderer);

...instead of doing it just once, for "typeof(ITranslated)".  I'm
guessing the reflection code is comparing the type and not taking into
account implemented interfaces.  Is there any chance this might be
improved in future versions?

Thanks,
Christopher



On 21/03/2008, John Snyders <jjsnyders at rcn.com> wrote:
> This may be of interest to you
>  http://hardlikesoftware.com/weblog/2008/02/15/script-injection-and-stringtemplate/
>  Just some thoughts. The current best answer is what Terence already
>  said; use a format option/renderer.
>  -John
>
>  Roman Odaisky wrote:
>  > Greetings,
>  >
>  > I'm looking for a template engine for a future Web project. I really like the
>  > strict philosophy of StringTemplate, but could you please explain one thing:
>  >
>  > The manual says one should use renderers for escaping. That makes sense for
>  > applications that generate SQL, or C, but how does one use ST for JS embedded
>  > in HTML? <b>hello $user$</b> and alert("hello $user$") need different
>  > escaping, and the possible presence of <![CDATA[ complicates things further.
>  >
>  > WBR, Roman.
>  > _______________________________________________
>  > stringtemplate-interest mailing list
>  > stringtemplate-interest at antlr.org
>  > http://www.antlr.org:8080/mailman/listinfo/stringtemplate-interest
>  >
>  _______________________________________________
>  stringtemplate-interest mailing list
>  stringtemplate-interest at antlr.org
>  http://www.antlr.org:8080/mailman/listinfo/stringtemplate-interest
>

More information about the stringtemplate-interest mailing list