Closed oderwat closed 9 years ago
onionhammer
commented
9 years ago I'm not sure what you mean; quotes are escaped. Use triple quoted strings i.e.
import templates
proc alert(value): string = tmpli html"""
<script>alert("$value")</script>
"""
echo alert("hello")
outputs:
<script>alert("hello")</script>
oderwat
commented
9 years ago I speak about your webexample article + https://github.com/onionhammer/samplenimweb.
Run the server and type into the box on the website and add that item to the todo list.
Escaping HTML (< to < & to & usually) is imho a very important part of a template system used with a web framework.
My question was: How would you fix your example in that regard?
I usually would expect a automatic escaping behavior by the template class which could be suppressed by a special form of "raw" operation.
BTW: Closing an issue because you do not understand what was mean before getting an answer is probably counter productive.
onionhammer
commented
9 years ago It's a very simplistic example, escaping HTML is trivial, but really not at all the point of the tutorial; the point of the tutorial is just a head-start, to escape HTML you should use the nim standard library.
http://nim-lang.org/xmltree.html#escape,string
Also, this is not the correct place to submit this issue, if you're talking about my TODO sample that's in a different repo
If you want to escape the input from the very basic sample TODO app, use escape it before adding it to the seq;
post "/add":
add(@"newItem".escape())I understand that but I also think that even the most basic tutorials should mention and handle this because leaving it out contributes to security problems. One need to realize that stuff like this is read by very beginners too. So adding a small "we need to escape the input such that..." would have been cool in my eyes.
Anyway I would prefer if the template module could escape automatically because this reduces errors and afaik one will add mostly stuff which has to be escaped. Couldn't this be added the template system itself in some way?
I guess you are not interested to discuss this so I may just try something for myself. I think it should be possible to define the macro in a way that it escapes all strings but how to specify such string which should not be expanded.
Thank you for the templates anyway. Pretty useful and inspiring!
I think it is really unfortunate that escaping is not supported out of the box.
The first thing I do for any "todo" style framework example is to add
<script>alert("fail")</script>as item. I saw that the webexample from the article fails this test and therefor is a really bad example! This should never be overlooked imho!What do you think how this could be handled / fixed the best way?