Closed svetlyak40wt closed 2 years ago
I found a temporary work-around. JS code might be wrapped into the :RAW
:
CL-USER> (spinneret:with-html
(:script :type "text/javascript"
(:raw "console.log('Hello')")))
<script type=text/javascript>console.log('Hello')</script>
That's the intended behavior. I'm reluctant to add special cases to the general rule of "HTML output is always escaped unless you specifically request otherwise."
Ok. Then I'll fix this problem by adding :raw
where it is applicable.
I've checked how does escaping work for attribute values and found that single quotes are not escaped, but double quotes are:
REBLOCKS-TEST/DEPENDENCIES> (spinneret:with-html
(:a :href "#"
:onclick "console.log('Hello world!')"))
<a href=# onclick="console.log('Hello world!')"></a>
NIL
REBLOCKS-TEST/DEPENDENCIES> (spinneret:with-html
(:a :href "#"
:onclick "console.log(\"Hello world!\")"))
<a href=# onclick="console.log("Hello world!")"></a>
NIL
Do you consider it as a bug which should be fixed in future?
I don't think it's a bug, but out of an abundance of caution I've set them to be escaped as well.
For example, if previously we were able to:
But now spinneret generates:
When loading such a site in the browser (chrome-based), I get this error in the developer console:
Probably, we need not do this escaping inside
SCRIPT
blocks? MaybeSTYLE
nodes also should not contain escaped quotes?