Create types for avoiding escaping

[FCO]

It would be very helpful if there were 2 types (maybe 2 roles) that when a template tag recipe an instance of that type, it would automatically avoiding escaping it. Maybe it could be something like HSML and JAVASCRIPT roles and that would automatically apply &HTML and &HTML-AND_JAVASCRIPT (maybe a &JAVASCRIPT if that exists), so when doing:

<.method-returning-html>

and the object on $_ has something like:

method method-returning-html {
   '<a href="http://pudim.com.br">Pudim</a>' does HTML
}

it would behave as it were:

<&HTML(.method-returning-html)>

and also existing:

class Link {
   has Str $.title;
   has Str $.href;

   method Str {
      qq'<a href="$!href">$!title</a>' does HTML
   }
}

if we have:

<.pudim-link>

and that returns something like:

method pudim-link { Link.new: :title<Pudim>, :href<http://pudim.com.br> }

it would be equivalent to:

<&HTML(.pudim-link.Str)>

and the same for JS

[vendethiel]

If anything, I feel like this should be fragments, because that's prone to XSS and it doesn't need to be. Strings should be avoided where possible.

[FCO]

@vendethiel sorry, what do you mean by fragments?

[FCO]

But using those types, wouldn't that mean you KNOW that's HTML or JS?! you WANT that to not be escaped? The same as using &HTML and &HTML-AND-JAVASCRIPT

[vendethiel]

I mean that, in your example, $!href and $!title are prone to injection, because you trusted the whole thing. If you had to build it manually, as in: raw('<a href="', ), $!link, raw('">'), $!title, raw('</a>') for example (or, for everyone who wrote CGI scripts a few decades ago, a($!title, href => $!title))) then this'd leave a lot less room for error

[FCO]

My suggestion was more on a automated way of making a return not being escaped then how to make that.