Super Simple View Engine should encode by default

NancyFx / Nancy

Lightweight, low-ceremony, framework for building HTTP based services on .Net and Mono

http://nancyfx.org

MIT License

7.15k stars 1.47k forks source link

Super Simple View Engine should encode by default #2042

Open phillip-haydon opened 9 years ago

phillip-haydon commented 9 years ago

This is more of a reminder for V2.0

Currently HTML encoding values is Opt In instead of Opt Out. HTML Encoding should always be Opt Out.

jvandertil commented 8 years ago

I would like to give a shot at implementing this.

I do see one issue: simply switching the functionality around (e.g. @ would encode by default and @! would print the raw content) will cause dangerous behaviour in all SSVE views ever implemented. Is forcing all users to update all their SSVE views acceptable for a 2.0 release?

jvandertil commented 8 years ago

ping @phillip-haydon

phillip-haydon commented 8 years ago

@grumpydev what's your view on this issue, do you agree with it?

jvandertil commented 8 years ago

I would suggest extending the functionality and implicitly HTML encode on output while keeping the '!' as explicitly HTML encoding (thus making it redundant, and probably remove it in a 3.0 or so) but this avoids breaking people who are doing the safe (and sane) thing of HTML encoding outputs. Changing previously safe behaviour to unsafe behaviour does not feel right for me.

Perhaps introduce ':' as explicitly requesting a raw output?

jvandertil commented 8 years ago

ping @grumpydev