Shouldn't `escape_to_string` escape `'` characters?

lambda-fairy / maud

:pencil: Compile-time HTML templates for Rust

https://maud.lambda.xyz

Apache License 2.0

1.98k stars 132 forks source link

Shouldn't `escape_to_string` escape `'` characters? #413

Closed benwr closed 5 months ago

benwr commented 5 months ago

I note that escape_to_string doesn't currently escape ' characters. IIUC these can be used to delimit attributes, so I'd have thought you'd want to escape them. Is that wrong?

benwr commented 5 months ago

Ah, maybe this doesn't matter because you always generate double-quoted attributes. Sorry if that's the case! Just doing a drive-by low-effort audit while trying to evaluate templating options.

lambda-fairy commented 5 months ago

Indeed, we only emit double-quoted attributes so it doesn't matter.

Technically we don't have to escape > either, but that might offend the XML folks.