Quotes escaping breaks rendering of JS code
svetlyak40wt opened this issue · 4 comments
For example, if previously we were able to:
CL-USER> (spinneret:with-html
(:script :type "text/javascript"
"console.log('Hello')"))
<script type=text/javascript>console.log('Hello')</script>But now spinneret generates:
CL-USER> (spinneret:with-html
(:script :type "text/javascript"
"console.log('Hello')"))
<script type=text/javascript>console.log('Hello')</script>When loading such a site in the browser (chrome-based), I get this error in the developer console:
Uncaught SyntaxError: Unexpected token '&'
Probably, we need not do this escaping inside SCRIPT blocks? Maybe STYLE nodes also should not contain escaped quotes?
I found a temporary work-around. JS code might be wrapped into the :RAW:
CL-USER> (spinneret:with-html
(:script :type "text/javascript"
(:raw "console.log('Hello')")))
<script type=text/javascript>console.log('Hello')</script>That's the intended behavior. I'm reluctant to add special cases to the general rule of "HTML output is always escaped unless you specifically request otherwise."
Ok. Then I'll fix this problem by adding :raw where it is applicable.
I've checked how does escaping work for attribute values and found that single quotes are not escaped, but double quotes are:
REBLOCKS-TEST/DEPENDENCIES> (spinneret:with-html
(:a :href "#"
:onclick "console.log('Hello world!')"))
<a href=# onclick="console.log('Hello world!')"></a>
NIL
REBLOCKS-TEST/DEPENDENCIES> (spinneret:with-html
(:a :href "#"
:onclick "console.log(\"Hello world!\")"))
<a href=# onclick="console.log("Hello world!")"></a>
NILDo you consider it as a bug which should be fixed in future?
I don't think it's a bug, but out of an abundance of caution I've set them to be escaped as well.