Comments (7)
It looks like a bug for me.
from shakespeare.
This is the intended behavior. Whether we should change it, or how we should document it, are good questions. Can you raise them on the mailing list?
from shakespeare.
I also think this behavior is problematic. We should be documenting how to avoid any hassles from automatic safety, not how to make things safe.
from shakespeare.
This is far from a simple matter, which is why I closed the issue in favor of discussing it on the mailing list. The presumption underlying it is that Julius interpolation is fixated on values which will be included in JS string literals. I'm not convinced that this is what people are expecting: it may be quite disconcerting for a user to try and interpolate some JS code and have to escaped as if it were appearing inside of string.
from shakespeare.
Yeah, so from a security standpoint it matters little whether it will be a string literal or something else. To be secure we shouldn't allow any code whatsoever, only JS values.
This is plausible: if someone wants to insert JS code, they can insert a widget.
It would also be a major change: instead of ToJavascript we would probably need to use ToJSON.
from shakespeare.
So should we only interpolate Data.Aeson.Value
values? When we
interpolate a Text
, should it have quotes automatically added? Should we
apply entity escaping as well to properly avoid XSS attacks? There are a
lot of questions, and I think this is anything but obvious. That's why I'd
rather close the issue and discuss it on the list.
from shakespeare.
@joeyadams do you want to ask this on the mail list?
from shakespeare.
Related Issues (20)
- Lucius and Cassius `&` not documented
- Lucius Cassius Comment syntax not documented HOT 5
- CSS Math HOT 1
- Hamlet puts <title> to <body> HOT 5
- Julius: async function cannot be parsed HOT 6
- shakespeare escape bug in #\" HOT 2
- [lucius] @supports mixing problem? HOT 4
- Test failure with GHC 9 HOT 6
- Build error with aeson-2 HOT 1
- `$maybe` and `$forall` unsupported in `Text.Shakespeare.Text` HOT 2
- fails to build with aeson-2.0 HOT 5
- Mixins should respect rule order HOT 1
- I18N, allow multiline messages in translation files
- Support lens operators in templates
- Julius arrow function with curly brace body is compiled to expression even if it's not an expression HOT 2
- Surprising behaviour of Scientific arithmetic inside a template HOT 1
- Cannot have two messages with the same parameter name of different types HOT 3
- Inconsistency between `textfile` and `stextfile` HOT 2
- Upgrading to the `LTS-20.26` implies ~100x performance regression for functions using dynamic templates.
- Add "$foreach" statement.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from shakespeare.