incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zachary Zolton <zachary.zol...@gmail.com>
Subject Re: Javascript templating for shows/lists
Date Fri, 04 Dec 2009 22:21:40 GMT
Note that Rails has also changed to escaping by default:
http://weblog.rubyonrails.org/2009/10/12/what-s-new-in-edge-rails

On Fri, Dec 4, 2009 at 4:02 PM, Roger Binns <rogerb@rogerbinns.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> http://github.com/yssk22/crayon
>>
>> This library enables you to write as followings:
>>
>> <%= h(var) %>
>> <%= text_field(doc, "path-to-field") %>
>
> embeddedjs includes a views.js file that adds something similar.
>
> My concern about escaping is over simple values.  For example if someone
> specifies something like this in a template.
>
>   <%= title %>
>
> If the value is not HTML escaped by default then it is a potential source of
> XSS attacks.  In the vast majority of cases values should be HTML escaped.
> A separate mechanism can then be used to stop escaping (for example Mustache
>  uses different tags and the Python Genshi templating system wraps the value
> in a different class).
>
> Roger
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAksZhv4ACgkQmOOfHg372QSUVgCeNqUJn02nvDkmDElF0z6dOwix
> kaUAoI1C3us4P07CuBAy//OLa/pmI4pt
> =72DE
> -----END PGP SIGNATURE-----
>

Mime
View raw message