variable output {{myVar}} should html encode per default

Question

variable output {{myVar}} should html encode per default

enthus1ast opened this issue 3 years ago · 3 comments

Answer 1 · 2022-03-10T19:02:27.000Z

not sure any more if Nimja should escape html, since other stuff then html could be templated.
Does anyone has an opinion on this?

Answer 2 · 2022-03-10T19:02:50.000Z

closed for now, if you think Nimja should, please reopen.

Answer 3 · 2022-04-11T02:38:17.000Z

Hm, I think it'd be nice to have Nimja escape HTML (but not by default). For anyone else who finds this issue, I think you can use https://nim-lang.org/docs/xmltree.html#escape%2Cstring then use Nimja's filter syntax to escape HTML, especially if it comes from an untrusted source.