search

emacs-love / templatel

Jinja inspired template language for Emacs Lisp
https://emacs.love/templatel
GNU General Public License v3.0
54 stars 6 forks source link

feat: automatic HTML entity escaping #5

Closed clarete closed 3 years ago

clarete commented 3 years ago

This refers to issue #4 and adds automatic escaping of HTML entities within text passed through variables to a template. e.g.:

(templatel-render-string "<p>{{ post }}</p>" '(("post" . "<script>alert(1)</script>")) :autoescape t)
;; "<p>&lt;script&gt;alert(1)&lt;/script&gt;</p>"

It is also possible to locally disable the auto escaping using the safe filter:

(templatel-render-string "<p>{{ post|safe }}</p>" '(("post" . "<script>alert(1)</script>")) :autoescape t)
;; "<p><script>alert(1)</script></p>"

Auto escaping comes disabled by default for templatel-render-string but comes enabled by default for HTML and XML files in the function templatel-render-file. Control auto escaping with templatel-env-set-autoescape when an environment is created with templatel-env-new.