Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Autoescape HTML? #94

Open
pbsds opened this issue Nov 18, 2022 · 10 comments
Open

Autoescape HTML? #94

pbsds opened this issue Nov 18, 2022 · 10 comments
Labels
enhancement New feature or request

Comments

@pbsds
Copy link

pbsds commented Nov 18, 2022

Is this feature implemented? If not: will it ever?
@enthus1ast
Copy link
Owner

enthus1ast commented Nov 19, 2022
edited

Yeah, i thought about it, but it's not currently implement.
You mean html that is in a variable that on rendering is escaped, right?

@enthus1ast enthus1ast added the enhancement New feature or request label Nov 19, 2022
@pbsds
Copy link
Author

pbsds commented Nov 19, 2022

Correct.

Jinja2, has the problem of this simply being enabled by a autoescape=True flag, which simply assumes HTML. Other use-cases include YAML. Perhaps nimja could simply accept an "escaper function", which will escape the string output of a value unless it is marked safe?

@enthus1ast
Copy link
Owner

What do you think of this syntax:

{{ foo:safe }}

@pbsds
Copy link
Author

pbsds commented Jan 12, 2023

Looks good! But does this mean that :safe is the token, or : + safe? In the latter case, what would happen if a : proc is defined, and safe exists?

@enthus1ast
Copy link
Owner

enthus1ast commented Jan 12, 2023
edited

Good questions.
It seems that : is not a valid proc nor variable name.

so both are not valid nim (at least for now):

var `foo:baa` = "foo"

proc `:`(s1, s2: string):
  echo s1
  echo s2

"foo":"baa"
:"foo", "baa"

so i guess its save to use.

While writing the parsing function for this, i asked myself if there could be other use cases for the ":" syntax.
since pipe | and dot . are pretty much user definable and more runtime.

In constrast the :safe syntax would actually change how the parser/codegen works.
So in the case of :safe it would omit the codegen for the escaping function.

Edit: The current design of nimja would not allow | safe so easily, that's the reason i thought about :safe.
The current parsing function would allow

assert splitSafe2("foo:safe") == ("foo", true)
assert splitSafe2("foo: safe") == ("foo", true)
assert splitSafe2("foo : safe") == ("foo", true)
assert splitSafe2("foo : safe ") == ("foo", true)
assert splitSafe2("foo.baa.baz() :safe") == ("foo.baa.baz()", true)

But this needs more testing if it can clash with something.

@pbsds
Copy link
Author

pbsds commented Jan 12, 2023

Then : looks like the best option.

@enthus1ast
Copy link
Owner

enthus1ast commented Jan 12, 2023
edited

Another option would be to introduce a completely new tag:

{{. foo .}}
{. foo .}
{$ foo $}

in the current nimja, this actually looks like the cleanest solution.

$afe you know :)

@pbsds
Copy link
Author

pbsds commented Jan 12, 2023
edited

This would add complexity if in the future you are to implement user-defined entry and exit syntax. (see block_start_string an onward here)

EDIT: Jinja1 guide: https://svn.python.org/projects/external/Jinja-1.1/docs/build/altsyntax.html

@enthus1ast
Copy link
Owner

Oh i did not know that jinja allows to overwrite this. Interesting.

@enthus1ast
Copy link
Owner

Yeah such an Environment is a future step, but a good hint!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pbsds @enthus1ast