incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roger Binns <rog...@rogerbinns.com>
Subject Re: Javascript templating for shows/lists
Date Fri, 04 Dec 2009 22:02:38 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://github.com/yssk22/crayon
> 
> This library enables you to write as followings:
> 
> <%= h(var) %>
> <%= text_field(doc, "path-to-field") %>

embeddedjs includes a views.js file that adds something similar.

My concern about escaping is over simple values.  For example if someone
specifies something like this in a template.

   <%= title %>

If the value is not HTML escaped by default then it is a potential source of
XSS attacks.  In the vast majority of cases values should be HTML escaped.
A separate mechanism can then be used to stop escaping (for example Mustache
 uses different tags and the Python Genshi templating system wraps the value
in a different class).

Roger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksZhv4ACgkQmOOfHg372QSUVgCeNqUJn02nvDkmDElF0z6dOwix
kaUAoI1C3us4P07CuBAy//OLa/pmI4pt
=72DE
-----END PGP SIGNATURE-----

Mime
View raw message