couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roger Binns <rog...@rogerbinns.com>
Subject Re: Javascript templating for shows/lists
Date Sat, 05 Dec 2009 08:41:27 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vlad GURDIGA wrote:
> Did anyone try E4X?

I mention it in the wiki page in the first paragraph as useful for XML based
formats.  (The book also refers to using it for generating Atom).

http://wiki.apache.org/couchdb/Generating%20HTML%20from%20Javascript%20shows%20and%20lists

I've added Google's Closure to the list as it has an interesting approach of
ahead of time compilation to Javascript code.  (The goal isn't to list every
possible engine but rather a small handful that would be useful to the kind
of people consulting the wiki page for recommendations, and that are known
to work right now.)

Thanks to Nathan I found the attachment to EJS is because it also includes
helper functions that generate the HTML wrapping tags for you.  I've
mentioned that in the "Best Practises" section.  (Its code for doing this is
in a separate file confusing named views.js and can be used with the other
engines that do not do HTML escaping, with minor tweaking.)

I've tried to get EJS to work.  The exact same code and template applied on
a fresh Fedora 12 install results in a single space being returned (as
opposed to an regex error on Ubuntu 9.10).  Changing the template didn't
change what was returned. An older EJS version had the same regex error
problem on Ubuntu.

I've yet to hear from anyone what the bugs in Resig's micro-templating
actually are, other than the obvious one that it isn't supported and has no
way of reporting bugs!

Finally I think it is bad idea for the CouchDB book to be using Resig's
micro-templating.  (My being uncomfortable with it is why I started this
thread and wiki page.)  In addition to the claims of bugs and its lack of
support, not HTML escaping by default sets a bad precedent. Developers new
to CouchDB are likely to follow the book's example and then end up with HTML
output that is prone to XSS attacks or just plain invalid.  As CouchDB gets
more popular, I'd hate for there to be a perception that apps using it
generally tend to be broken or are good places to hunt for XSS attacks.

Roger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksaHLcACgkQmOOfHg372QSmuACg232OJt3gbnjQCj+UbpX5/D5J
R7IAn3uzNcsBhkcp1aT29v92CDQ5hOmC
=86F+
-----END PGP SIGNATURE-----

Mime
View raw message