search

rstudio / htmltools

Tools for HTML generation and output
https://rstudio.github.io/htmltools/
215 stars 69 forks source link

HTML content still escaped in tag() attribues #17

Open jiho opened 9 years ago

jiho commented 9 years ago 
 tag("a", list(HTML("&"), href=HTML("mailto:&")))

gives

<a href="mailto:&amp;">&</a>

when I would expect 

<a href="mailto:&">&</a>

NB: this is a problem to obfuscate email addresses using markdown for example.

jcheng5 commented 9 years ago

This is by design. Can you talk a little bit more about your use case? Why would you ever want a raw ampersand instead of &amp;? (Note that attributes in HTML are supposed to be HTML-escaped--the browser will un-escape when interpreting the attribute. See here for a fiddle that demonstrates this.)

jiho commented 9 years ago

Some Markdown processors "will also perform a bit of randomized decimal and hex entity-encoding to help obscure your address from address-harvesting spambots" (as per the Markdown syntax page). So

<address@example.com>

becomes

<a href="&#x6D;&#x61;i&#x6C;&#x74;&#x6F;:&#x61;&#x64;&#x64;&#x72;&#x65;
&#115;&#115;&#64;&#101;&#120;&#x61;&#109;&#x70;&#x6C;e&#x2E;&#99;&#111;
&#109;">&#x61;&#x64;&#x64;&#x72;&#x65;&#115;&#115;&#64;&#101;&#120;&#x61;
&#109;&#x70;&#x6C;e&#x2E;&#99;&#111;&#109;</a>

As you can see there are unescaped & in the href part. I wanted to use this together with a(). It used to work (when a() was part of shiny), hence my "bug" report.

ctbrown commented 8 years ago

Joe,

I ran into this today and side with @jiho on this.

I agree with you. Normally, you would want HTML-escaping, but there are some instances/use cases that expect raw, unescaped HTML in attributes. I assumed as the OP that using HTML(...) would prevent the HTML escaping for the attributes and can confirm that it does not.

I think think in this case, the OP has a point, HTML does not work as the documents lead you to believe. I would recommend either updating the docs to be more clear or (probably better) supporting the functionality that @jiho expected.

C-

mikebesso commented 7 years ago

Here is another use case.

I am hoping to use htmltools to help build MathML blocks to include in rmarkdown.

So, I need:

tag("mo", "&sum;")

to return:

<mo>&sum;</mo>

but, instead, I get:

<mo>&amp;sum;</mo>

which, or course, will not produce epsilon I am looking for.

Am I missing something? Can htmltools help me?

THANKS

agricolamz commented 1 year ago

I used htmltools::tags$script(some_js_script) and got into the same problem...

gadenbuie commented 1 year ago

@agricolamz If you wrap the script portion in HTML() it will be protected from escaping:

tags$script(HTML("alert('& hello world!)"))
#> <script>alert('& hello world!)</script>

And @mikebesso (sorry for the delay!) and anyone else with a similar issue, the minor missing detail is that tag() expects a list of children or attributes, so list(HTML("&sum;")) will work:

tag("mo", list(HTML("&sum;")))
#> <mo>&sum;</mo>