Closed simon-nicholls closed 11 years ago
HTML encoding won't work with Hiccup 1.0 because the output of the html
macro is a string, therefore there's no way to distinguish nested HTML from a string that needs to be HTML encoded.
However, because there's a lot of interest in this, I'm going to start development on 2.0 in the next few days. I already have a lot of the work complete in separate branches.
2.0 development would be great. Thanks for taking the issue seriously.
Regarding the code I've included here, it's not dealing with many use cases - just plain pre-compilable strings for simplicity. However, the approach I'm trying to demonstrate, for debate, is that strings are either HTML safe or they are not, and a set can be used to identify those that are.
It's true that the html macro always produces strings, but that's not a problem in this approach. The problem is to have a set in the top level html macro only, that is usable by any (possibly lazily generated) string that will render. Couldn't nested html macros behave appropriately via macrolet / &form or other mechanism?
Of course if nested html macros are tweaked, we could probably use a different type internally anyway, to get metadata back.
Btw, it was great to meet you at the EuroClojure conference. See you at HaskellX if you're going!
The problem is that this needs to work:
(defn doctype []
"<!DOCTYPE html>")
(defn foo []
(html [:p "foo"]))
(defn bar []
(html (doctype) [:div (foo)]))
As far as I can tell, under the code you've supplied, this wouldn't work unless we wrapped foo
and doctype
in your html-safe
function, but that would break compatibility. Hiccup follows semantic versioning, so any break in compatibility is a major version release.
I think switching to default HTML safety is a major breaking change, and needs a major version release anyway. When I made the switch with Rails, I greatly underestimated how many strings needed html safety tagging (many helper functions were "tainted"). Though it was a great benefit afterwards.
I can get single escaping and safety marking working for the basic case I tried with (compilable literal strings), but any approach needs to be considered freshly in the context of your 2.0 plans. I look at that foo function and see it equivalent to a "final product" string. Treating it differently "in context" is going to be a hack of some type, it's just that metadata (if it were possible) would be cleaner and has precedent elsewhere.
Anyway, I don't think this issue makes sense outside of 2.0, so I'll close out. Catch you at HaskellX if you go.
It's actually the first I've heard of HaskellX, but I'll look it up :)
A naive implementation of HTML encoding by default, to get the ball rolling hopefully. Comments?