nim-templates icon indicating copy to clipboard operation
nim-templates copied to clipboard

Published 20 hours ago verified publisher icon onionhammer

xmlEncode

Open itsumura-h opened this issue 2 years ago • 3 comments

Variable should be xml encoded to prevent XSS https://nim-lang.org/docs/cgi.html#xmlEncode%2Cstring

import templates

let x = "<script>alert("hello")</script>"

let dom = tmpli html"""
<p>$x</p>
"""   ↑Dainger

so I propose a new syntax if possible

  • $if, $else $case $for => as it is
  • ${ let x = "aaa" } => as it is
  • $(x) => bind variable in html without xml encode
  • ${{x}} => bind variable in html with xml encode

then it shoud be like this

import templates

let x = "<script>alert("hello")</script>"

let dom = tmpli html"""
<p>${{x}}</p>
"""
assert dom == "<p>&lt;script&gt;alert(&quot;hello&quot;)&lt;/script&gt;</p>"

itsumura-h avatar May 09 '22 05:05 itsumura-h

Interesting idea - My only concern would be it interfering with some other nim syntax. What about adding another prefix to indicate escape; like '$!' instead of just '$' ?

i..e.

import templates

let x = "<script>alert("hello")</script>"

let dom = tmpli html"""
<p>$!x</p>
"""
assert dom == "<p>&lt;script&gt;alert(&quot;hello&quot;)&lt;/script&gt;</p>"

onionhammer avatar May 09 '22 13:05 onionhammer

@onionhammer "!" means destructive change or doing something that should not be used but is unavoidably dangerous in other programming languages. so "$!x" prefers be like dangerouslySetInnerHTML in react, and if "$x" is escaped by default, it is safe.

itsumura-h avatar May 11 '22 01:05 itsumura-h

Yeah good point. I wouldn't want to issue a breaking change for this, but syntactic sugar for escaping the HTML would be nice.

onionhammer avatar May 11 '22 01:05 onionhammer