Shouldn't `escape_to_string` escape `'` characters?

lambda-fairy / maud

:pencil: Compile-time HTML templates for Rust

https://maud.lambda.xyz

Apache License 2.0

2.14k stars 143 forks source link

Shouldn't `escape_to_string` escape `'` characters? #413

Closed benwr closed 10 months ago

benwr commented 10 months ago

I note that escape_to_string doesn't currently escape ' characters. IIUC these can be used to delimit attributes, so I'd have thought you'd want to escape them. Is that wrong?

benwr commented 10 months ago

Ah, maybe this doesn't matter because you always generate double-quoted attributes. Sorry if that's the case! Just doing a drive-by low-effort audit while trying to evaluate templating options.

lambda-fairy commented 10 months ago

Indeed, we only emit double-quoted attributes so it doesn't matter.

Technically we don't have to escape > either, but that might offend the XML folks.