Escaping in templates
Myk Melez
myk at mozilla.org
Tue Feb 3 20:43:03 UTC 2004
Bradley Baetz wrote:
>- If you're not producing HTML, don't HTML quote it.
This should be "if you *are* producing HTML, don't HTML quote it,"
right? I.e.:
[%# foo is HTML and should be inserted literally %]
[% foo = "<div>foo</div>" %]
[% foo %]
[%# bar is plaintext and should be filtered so <, >, and & come through
as entities rather than being treated as HTML %]
[% bar = "Joe Schmoe <joe at blah.com> said this & that." %]
[% bar FILTER html %]
-myk
More information about the developers
mailing list