btrask
commented
9 years ago https://github.com/google/gumbo-parser looks promising.
Open btrask opened 9 years ago
btrask
commented
9 years ago https://github.com/google/gumbo-parser looks promising.
It might be nice to use DOM templating instead of our current string-based template system.
The main problem currently is that a bad template can compromise the security of the site. For example if your template is
<img src={{val}}>, without quotes around the template variable, then an evil value can insert JavaScript attributes into your image tag. DOM templating is the sanest way to prevent this, because you need the full context of the output in order to do escaping properly (in that case, adding quotes).Note that once the templates are loaded on startup, there wouldn't necessarily be any additional overhead, because we'd just parse them once and then write them as strings like we do now.
There are some simple DOM libraries in C, which might be viable because templates themselves are more or less trusted (we aren't exposing random content to the DOM parser).