[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-janitors] #890: hyde doesn't do any HTML-escaping for unknown l
From: |
Chicken Trac |
Subject: |
[Chicken-janitors] #890: hyde doesn't do any HTML-escaping for unknown languages |
Date: |
Sat, 28 Jul 2012 15:17:44 -0000 |
#890: hyde doesn't do any HTML-escaping for unknown languages
----------------------------------+-----------------------------------------
Reporter: sjamaan | Owner: syn
Type: defect | Status: new
Priority: major | Milestone:
Component: extensions | Version:
Keywords: escaping, html, hyde |
----------------------------------+-----------------------------------------
The following will put the HTML code as-is into the output instead of
escaping the angular brackets.
{{{
<enscript highlight="html">
<div>
<span>Hello, <strong>dear</strong> friends.</span>
<span>This is a simple example.</span>
</div>
</enscript>
}}}
The problem here is that hyde calls colorize with an exception handler
which just returns the original code. This code is then injected, whereas
colorize will return HTML, taking care of escaping.
Actually, hyde should choose whether it wants to do string manipulation or
use SXML throughout. Using {{{inject}}} is a nasty hack and should be
avoided. Take a look at qwiki; it calls {{{html->sxml}}} on the output of
colorize and any other user-supplied HTML. If hyde would do this, it also
ensures that any mistakes in any of the converters (or the user's own
code) don't mess up the SXML structure.
--
Ticket URL: <http://bugs.call-cc.org/ticket/890>
Chicken Scheme <http://www.call-with-current-continuation.org/>
Chicken Scheme is a compiler for the Scheme programming language.
- [Chicken-janitors] #890: hyde doesn't do any HTML-escaping for unknown languages,
Chicken Trac <=