tchalvak
commented
11 years ago +1 makes sense to me.
Open pinterface opened 11 years ago
tchalvak
commented
11 years ago +1 makes sense to me.
nwhittaker
commented
10 years ago +1
dasilvacontin
commented
9 years ago +1
jgonggrijp
commented
10 months ago This is still an omission as of 2023. I welcome a pull request to address this.
(My implementation, Wontache, escapes single quotes as well.)
bobthecow
commented
10 months ago I think this should be the default, but will require a major version change. Let's tag things with backwards compatibility breaks that we'd like to do anyway?
jgonggrijp
commented
10 months ago I would say "bugfix". Bug fixes are always breaking in a way, but we don't bump the major version for them, because the thing that stops working should not have worked in the first place.
I would be more hesitant with this stance if most implementations didn't escape single quotes yet. Given that the practice is already widespread, however, I feel this is just a fix for an omission.
interpolation.yml states that only four characters are escaped:
& " < >. It should also include the single quote'. (It should probably also explicitly state whether an implementation can escape additional characters and still remain spec-compliant.)Not escaping the single quote means
<tag attr='{{var}}'>is unsafe, in spite of being semantically equivalent to<tag attr="{{val}}">which is safe. That's confusing and a recipe for exploits!Such a change should largely be compatible with mustache-in-the-wild: a number of mustache implementations /already/ escape the single quote (at least in some cases), so any shop which uses mustache in multiple languages is unlikely to be relying on the non-escaped-single-quote: Mustache.js: escapes single quotes. mustache (ruby): uses CGI. CGI doesn't escape single quotes in Ruby 1.9.x, but does in Ruby 2.0. pystache: Single quotes escaped as of Python 3.2. mustache.go: Escapes single quotes (as
'!).