Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please consider allowing configurable escaping #1175

Closed
kevinoid opened this issue Feb 4, 2016 · 12 comments
Closed

Please consider allowing configurable escaping #1175

kevinoid opened this issue Feb 4, 2016 · 12 comments

Comments

@kevinoid
Copy link

kevinoid commented Feb 4, 2016

First, thanks for writing/maintaining Handlebars.js. I've used it on several projects and really like it.

In v4.0.0 and later, due to 83b8e84 (as discussed in #1114 and #1083) , = is now escaped to =. Although this is probably a good choice on the whole, it is causing issues for me.

My immediate issue is that SendGrid doesn't HTML-decode href attribute values before replacement in outgoing emails. So templating <a href="{{linkUrl}}">a link</a> with https://example.com/?utm_medium=email yields <a href="https://example.com/?utm_medium&#x3D;email">a link</a> which gets replaced by SendGrid with a tracking URL that redirects to the unescaped href value. Clearly their system is broken, but they have no plans to fix it and it is out of my control. It's also likely not the only software which doesn't properly HTML-decode href values.

I am currently doing my own escaping and returning SafeString, but the amount of work to do this consistently is non-trivial. It would be nice to have an easier option.

Since I always quote attribute values, the = escaping is not necessary and counter-productive for my uses. Would you be willing to support an option to configure which characters are escaped, to accommodate differing needs/uses? If so, I could work up a PR.

Thanks,
Kevin
@jbboehr
Copy link
Contributor

jbboehr commented Feb 5, 2016

Have you tried monkey patching Handlebars.escapeExpression?

@kevinoid
Copy link
Author

kevinoid commented Feb 5, 2016

@jbboehr That's an idea I hadn't tried. Thanks! I tend to stick to the public API to avoid maintenance issues, but if Handlebars.escapeExpression were documented as caller-assignable and changes to that behavior treated as API changes, that would be good enough for me.

@kpdecker
Copy link
Collaborator

kpdecker commented Feb 5, 2016

This or creating a handlebars environment with that specific override are the officially supported approach.

Something like:

let myInst = Handlebars.create();
myInst.escapeExpression = ...
myInst.compile(...);

Should work and avoid any potential global concerns (you might have to adjust that a bit, I haven't tested that directly)

@kpdecker kpdecker closed this as completed Feb 5, 2016
@kevinoid
Copy link
Author

kevinoid commented Feb 5, 2016

Great, thanks. Is it documented somewhere that I missed?

@kpdecker
Copy link
Collaborator

kpdecker commented Feb 5, 2016

I'm not certain, but above would be some of it :)

As with any monkey patch I would recommend writing a test to verify that
it's actually working to protect yourself should the library change. At
this point I don't expect that given the maturity of handlebars, but it's
generally a practice I try to follow in my own projects.

On Fri, Feb 5, 2016 at 9:57 AM Kevin Locke notifications@github.com wrote:

Great, thanks. Is it documented somewhere that I missed?


Reply to this email directly or view it on GitHub
#1175 (comment)
.

@kevinoid
Copy link
Author

kevinoid commented Feb 5, 2016

Fair enough. Thanks @kpdecker and @jbboehr!

@yunyu
Copy link

yunyu commented Mar 11, 2020

@nknapp As of 2020, this workaround has stopped working and #1523 hasn't been merged, which means that this is not doable with the current release from NPM. Are there any plans to allow for this?

@nknapp
Copy link
Collaborator

nknapp commented Mar 12, 2020

Can you tell me in which versions it has worked. I wasn't aware that this has been possible at all.

@yunyu
Copy link

yunyu commented Mar 16, 2020
edited
Loading

@nknapp I just tried version v4.0.5 (which was released before February 2016) and it worked. I personally have a use case for this feature (templates that generate Markdown), and it would definitely be nice to have.

@nknapp nknapp reopened this Mar 17, 2020
@nknapp nknapp closed this as completed Mar 17, 2020
@nknapp
Copy link
Collaborator

nknapp commented Mar 17, 2020

@yunyu Please adjust this jsfiddle so that it works: If this is really a regression, I will fix it. But if it is a new feature, I need clarity for myself on how the interface should be.

My problem is actually that none of the variants that I proposed in #1523 is really good. And monkey-patching is the worst kind of interface IMHO.

As an example, I tried to use a simple "toUpperCase" as escape-function. But the ways Kevin described it about does not work with 4.0.5 and it does not with 3.0.0

https://jsfiddle.net/uepx1cs9/3/

@nknapp nknapp reopened this Mar 17, 2020
@yunyu
Copy link

yunyu commented Mar 21, 2020
edited
Loading

@nknapp See https://jsfiddle.net/o471djbe/

My mistake, I meant Handlebars.Utils.escapeExpression, which also appears to work in the current version (I had some issues monkeypatching it with TypeScript, however) but unfortunately clobbers the global Utils.escapeExpression.

@nknapp
Copy link
Collaborator

nknapp commented Mar 22, 2020

I wouldn't recommend doing that as well. Globals shouldn't be changed.

I'm closing this in favour of #1523. But in the current situation, I cannot really do a lot of open source work (schools closed due to corona, supervise kids I'm addition to working from home, there's not much energy left right now)

@nknapp nknapp closed this as completed Mar 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kpdecker @jbboehr @kevinoid @nknapp @yunyu