search

pugjs / pug

Pug – robust, elegant, feature rich template engine for Node.js
https://pugjs.org
21.63k stars 1.96k forks source link

Wrap JS tags in either comments or CDATA #2567

Open mk-pmb opened 7 years ago

mk-pmb commented 7 years ago

The "Nested Filters" example currently shows these lines wrapping a script tag:

  //<![CDATA[
  //]]>

Depending on DOCTYPE, either the slashes or the CDATA is useless, and to me it seems that having both can increases your security risk.

From the example, I cannot determine what escaping mechanism is used. If it's really XML CDATA, I'd suggest to remove the slashes, in order to make users aware if they accidentually use that encoding insecurely in an HTML page.

If it's any other encoding, I suggest to remove the CDATA marks beaucse they'd be deceptive.

Edit: The problem seems to be fully contained in jstransformer-cdata-js so I'm gonna report it there, too. Independent from what they think of the issue, I'd like the pug docs to show good examples and avoid showing any footgun code.

ForbesLindesay commented 7 years ago

We should probably consider looking for a better example of nested filters. Perhaps minifying some coffee-script. CDATA is very rarely used, so we probably shouldn't feature it so prominently.

dylanh724 commented 7 years ago

CDATA is very rarely used, so we probably shouldn't feature it so prominently.

Err.. Google Analytics uses CDATA