Escaping HTML entities

[jwoertink]

it looks like span   renders the literal   instead of `. I know that I can dospan== " "` to escape it, but it feels like HTML entities should be rendered as normal when not in any code block.

So something like this

span • would render a span with the escaped • span= "•" would render the literal • span== "•" would render the escaped •

[jeromegn]

Hey there,

Slang's default is to escape everything except if it's in a element using == (as you mentioned.)

Since we don't do anything special to handle #{some_code}, any line could potentially include that. All slang does is adding the line to the lines buffer to be evaluated on runtime.

span #{some_code}
# is the same as doing:
span = "#{some_code}"

I looked through the code to see if there was a quick way of doing this, but I couldn't find one.

The quickest way would be not to escape element without any =, but I think that would be insecure. I prefer secure by default.

A longer way (and probably a more correct way) would be to detect those &[...]; entities and not escape them.

For now I recommend either explicitly specifying the element as "not escaped" using == or using the actual character (ie: •).

I know this is not ideal, I'm keeping this issue open because it does sound like something we want to enhance.