On Mon, Jan 4, 2010 at 9:27 PM, Erdinc Yilmazel <erdincyilma...@gmail.com>wrote:
> The one thing that jumped out at me (from the docs — I haven't had a chance
>>> to play yet) is how you handle escaping. Or don't, I'm not sure. You do
>>> state that “Cambridge is designed especially for generating HTML, XML or
>>> any markup content,” so I figure it's important to be able to produce such
>>> output correctly.
>>>
>>
>> For example, if I set the name variable to <script>alert('hi!')</script>,
>> and run it through the template <h1>${name}</h1> then does Cambridge
>> output:
>>
>>
>> 1. <h1><script>alert('hi!')</script></h1>
>> 2. <h1><script>alert('hi!')</script></h1>
>>
>>
> In Cambridge, the escaping is handled by filters, which are not documented
> on the wiki yet. By default, Cambridge currently outputs any text as it is,
> but there is a filter named escape that provides this functionality. Instead
> of writing ${name}, if you write ${name}(escape) it will print
> <h1><script>alert('hi!')</script></h1>. What I'm not sure is
> if this should be the default behaviour or not. Maybe escaping by default is
> better.
>
That's great to hear. Please, please, make this the default. You'll save
yourself a lot of trouble down the road.
> The filters can also be chained using the | character, for instance you can
> write ${name}(escape|upper) and get the output in upper case.
>
-Dom
--
You received this message because you are subscribed to the Google Groups "The
Java Posse" group.
To post to this group, send email to javapo...@googlegroups.com.
To unsubscribe from this group, send email to
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/javaposse?hl=en.
