search

casid / jte

Secure and speedy templates for Java and Kotlin.
https://jte.gg
Apache License 2.0
748 stars 56 forks source link

Why is expressions in HTML attribute names are not allowed? #300

Closed hurelhuyag closed 9 months ago

hurelhuyag commented 9 months ago

This is my usual selected attribute printing technique. But JTE doesn't allow me to do it. Why it is not allowed?. Is there any other recommended way?

    <select name="category" required>
      @for(var c : categories)
        <option id="${c.getId()}" ${c.getId().equals(form.category()) ? "selected" : ""}>${c.getName()}</option>
      @endfor
    </select>

error output:

Error:  Failed to execute goal gg.jte:jte-maven-plugin:3.0.3:generate (default) on project zeenii: Execution default of goal gg.jte:jte-maven-plugin:3.0.3:generate failed: Failed to compile htmxDemo/feedback.jte, error at line 22: Illegal HTML attribute name ${c.getId().equals(form.category())! Expressions in HTML attribute names are not allowed. -> [Help 1]
chkl commented 9 months ago

In short:

   <select name="category" required>
      @for(var c : categories)
        <option id="${c.getId()}" selected="${c.getId().equals(form.category())}">${c.getName()}</option>
      @endfor
    </select>

JTE has some idea of context to perform HTML sanitisation if necessary. That's why it doesn't allow interpolation at arbitrary html locations.

Why the above example works -> https://jte.gg/html-rendering/?h=smart#smart-attributes