Poole does not do HTML escaping in all places

Issue #6 resolved
Matthijs Kooijman
created an issue

While markdown already handles HTML escaping special characters (e.g., &, <, and >), there are places where markdown is not used to process content before embedding it in HTML (like page titles).

This means that when I use an & in a page title (using the default template) the resulting HTML is invalid because the page title is inserted as-is.

Note that escaping " makes sense too, in case values are used inside HTML attributes (and it doesn't hurt in other places, so we can do that unconditionally).

I can see two solutions for this: 1. Handle HTML escaping implicitely, for all values inserted using {{ }} 2. Update the default templates to include explicit escaping where needed

Since solution 1. can easily lead to unexpected results, is less flexible (if someone wants to use HTML in their page titles, they can't) and probably leads to problems with {{ content }}, which shouldn't be escaped, solution 2. is probably best. Solution 1. could be adapted to be able to use "HTMLString" objects or something to mark a string as "already escaped" (or rather, "does not need escaping"), like for example Django does, but that's probably a lot of extra complexity.

I've just built a patch for solution 2., which seems to work. I'll update the docs accordingly and then send a pull request in a minute.

Comments (2)

  1. Oben Sonne repo owner

    Nice work, thanks!

    You're right that solution 1 is not an option since it does not allow to insert raw HTML. So soultion 2 is just perfect.

    Indeed using the modules __dict__ is also nice, because then the macros module and the macros dictionary used in pages implicitly equal (in fact they are identical). The only negative side-effect that may occur is that some standard macros like __content__ might overwrite similar named items in the macro module. However, I think this an unlikely issue.

    If pulled your changes and applied some minor tweaks. Thanks again for your clean contributions.

  2. Log in to comment