Closed svetlyak40wt closed 2 years ago
svetlyak40wt
commented
2 years ago I found a temporary work-around. JS code might be wrapped into the :RAW:
CL-USER> (spinneret:with-html
(:script :type "text/javascript"
(:raw "console.log('Hello')")))
<script type=text/javascript>console.log('Hello')</script>
ruricolist
commented
2 years ago That's the intended behavior. I'm reluctant to add special cases to the general rule of "HTML output is always escaped unless you specifically request otherwise."
svetlyak40wt
commented
2 years ago Ok. Then I'll fix this problem by adding :raw where it is applicable.
I've checked how does escaping work for attribute values and found that single quotes are not escaped, but double quotes are:
REBLOCKS-TEST/DEPENDENCIES> (spinneret:with-html
(:a :href "#"
:onclick "console.log('Hello world!')"))
<a href=# onclick="console.log('Hello world!')"></a>
NIL
REBLOCKS-TEST/DEPENDENCIES> (spinneret:with-html
(:a :href "#"
:onclick "console.log(\"Hello world!\")"))
<a href=# onclick="console.log("Hello world!")"></a>
NILDo you consider it as a bug which should be fixed in future?
ruricolist
commented
2 years ago I don't think it's a bug, but out of an abundance of caution I've set them to be escaped as well.
For example, if previously we were able to:
But now spinneret generates:
When loading such a site in the browser (chrome-based), I get this error in the developer console:
Probably, we need not do this escaping inside
SCRIPTblocks? MaybeSTYLEnodes also should not contain escaped quotes?