play framework

Easier html escaping with @@ annotation

  1. Series 1.1
  2. Bug #509259
Bug #509259 reported by gimenete
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
play framework
Status tracked in 1.0
1.0
Fix Released
Undecided
Unassigned
play framework 1.0.2
1.1
Fix Committed
Undecided
Unassigned
play framework 1.1

Bug Description

Currently the correct way to generate an URL pointing to a controller in play! is the following:

<a href="${actionBridge.Application.index('foo', 'bar').url.escapeHtml() }">click</a>

The problem with @{} or @@{} is that it doesn't escape the HTML output. So if you have a controller that needs two arguments in the query string of the URL, with @{} you get something like this:

<a href="/?b=bar&a=foo">click</a>

Which is wrong becuse the ampersand is not escaped to &amp;

So the correct way is to use ${actionBridge.xxxx.url.escapeHtml()} which is too verbose.

I suggest something like the new auto-html-escaping facility. Maybe the @{} notation should always do html escaping when executing a template where the response has a text/html contentType.

Revision history for this message
Guillaume Bort (guillaume-bort) wrote : Re: [Bug 509259] [NEW] Easier html escaping with @@ annotation

Can you test with:

<a href="@{Application.index('foo', 'bar').escape()}">click</a> ?

On Mon, Jan 18, 2010 at 6:53 PM, gimenete <email address hidden> wrote:
> Public bug reported:
>
> Currently the correct way to generate an URL pointing to a controller in
> play! is the following:
>
> <a href="${actionBridge.Application.index('foo', 'bar').url.escapeHtml()
> }">click</a>
>
> The problem with @{} or @@{} is that it doesn't escape the HTML output.
> So if you have a controller that needs two arguments in the query string
> of the URL, with @{} you get something like this:
>
> <a href="/?b=bar&a=foo">click</a>
>
> Which is wrong becuse the ampersand is not escaped to &amp;
>
> So the correct way is to use ${actionBridge.xxxx.url.escapeHtml()} which
> is too verbose.
>
> I suggest something like the new auto-html-escaping facility. Maybe the
> @{} notation should always do html escaping when executing a template
> where the response has a text/html contentType.
>
> ** Affects: play
>     Importance: Undecided
>         Status: New
>
> --
> Easier html escaping with @@ annotation
> https://bugs.launchpad.net/bugs/509259
> You received this bug notification because you are subscribed to play
> framework.
>

Revision history for this message
gimenete (gimenete) wrote :

That's great. It works!

The point is that maybe that should be the default behaviour. I'm not
sure, because is not true for plain text mail templates, but is almost
always true everytime in html templates.

Thank you Guillaume.

On Mon, Jan 18, 2010 at 7:09 PM, Guillaume Bort
<email address hidden> wrote:
> Can you test with:
>
> <a href="@{Application.index('foo', 'bar').escape()}">click</a> ?
>
> On Mon, Jan 18, 2010 at 6:53 PM, gimenete <email address hidden> wrote:
>> Public bug reported:
>>
>> Currently the correct way to generate an URL pointing to a controller in
>> play! is the following:
>>
>> <a href="${actionBridge.Application.index('foo', 'bar').url.escapeHtml()
>> }">click</a>
>>
>> The problem with @{} or @@{} is that it doesn't escape the HTML output.
>> So if you have a controller that needs two arguments in the query string
>> of the URL, with @{} you get something like this:
>>
>> <a href="/?b=bar&a=foo">click</a>
>>
>> Which is wrong becuse the ampersand is not escaped to &amp;
>>
>> So the correct way is to use ${actionBridge.xxxx.url.escapeHtml()} which
>> is too verbose.
>>
>> I suggest something like the new auto-html-escaping facility. Maybe the
>> @{} notation should always do html escaping when executing a template
>> where the response has a text/html contentType.
>>
>> ** Affects: play
>>     Importance: Undecided
>>         Status: New
>>
>> --
>> Easier html escaping with @@ annotation
>> https://bugs.launchpad.net/bugs/509259
>> You received this bug notification because you are subscribed to play
>> framework.
>>
>
> --
> Easier html escaping with @@ annotation
> https://bugs.launchpad.net/bugs/509259
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in play framework: New
>
> Bug description:
> Currently the correct way to generate an URL pointing to a controller in play! is the following:
>
> <a href="${actionBridge.Application.index('foo', 'bar').url.escapeHtml() }">click</a>
>
> The problem with @{} or @@{} is that it doesn't escape the HTML output. So if you have a controller that needs two arguments in the query string of the URL, with @{} you get something like this:
>
> <a href="/?b=bar&a=foo">click</a>
>
> Which is wrong becuse the ampersand is not escaped to &amp;
>
> So the correct way is to use ${actionBridge.xxxx.url.escapeHtml()} which is too verbose.
>
> I suggest something like the new auto-html-escaping facility. Maybe the @{} notation should always do html escaping when executing a template where the response has a text/html contentType.
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/play/+bug/509259/+subscribe
>

Revision history for this message
Guillaume Bort (guillaume-bort) wrote :

Is it also true in HTML5 ?

On Mon, Jan 18, 2010 at 7:23 PM, gimenete <email address hidden> wrote:
> That's great. It works!
>
> The point is that maybe that should be the default behaviour. I'm not
> sure, because is not true for plain text mail templates, but is almost
> always true everytime in html templates.
>
> Thank you Guillaume.
>
>
> On Mon, Jan 18, 2010 at 7:09 PM, Guillaume Bort
> <email address hidden> wrote:
>> Can you test with:
>>
>> <a href="@{Application.index('foo', 'bar').escape()}">click</a> ?
>>
>> On Mon, Jan 18, 2010 at 6:53 PM, gimenete <email address hidden> wrote:
>>> Public bug reported:
>>>
>>> Currently the correct way to generate an URL pointing to a controller in
>>> play! is the following:
>>>
>>> <a href="${actionBridge.Application.index('foo', 'bar').url.escapeHtml()
>>> }">click</a>
>>>
>>> The problem with @{} or @@{} is that it doesn't escape the HTML output.
>>> So if you have a controller that needs two arguments in the query string
>>> of the URL, with @{} you get something like this:
>>>
>>> <a href="/?b=bar&a=foo">click</a>
>>>
>>> Which is wrong becuse the ampersand is not escaped to &amp;
>>>
>>> So the correct way is to use ${actionBridge.xxxx.url.escapeHtml()} which
>>> is too verbose.
>>>
>>> I suggest something like the new auto-html-escaping facility. Maybe the
>>> @{} notation should always do html escaping when executing a template
>>> where the response has a text/html contentType.
>>>
>>> ** Affects: play
>>>     Importance: Undecided
>>>         Status: New
>>>
>>> --
>>> Easier html escaping with @@ annotation
>>> https://bugs.launchpad.net/bugs/509259
>>> You received this bug notification because you are subscribed to play
>>> framework.
>>>
>>
>> --
>> Easier html escaping with @@ annotation
>> https://bugs.launchpad.net/bugs/509259
>> You received this bug notification because you are a direct subscriber
>> of the bug.
>>
>> Status in play framework: New
>>
>> Bug description:
>> Currently the correct way to generate an URL pointing to a controller in play! is the following:
>>
>> <a href="${actionBridge.Application.index('foo', 'bar').url.escapeHtml() }">click</a>
>>
>> The problem with @{} or @@{} is that it doesn't escape the HTML output. So if you have a controller that needs two arguments in the query string of the URL, with @{} you get something like this:
>>
>> <a href="/?b=bar&a=foo">click</a>
>>
>> Which is wrong becuse the ampersand is not escaped to &amp;
>>
>> So the correct way is to use ${actionBridge.xxxx.url.escapeHtml()} which is too verbose.
>>
>> I suggest something like the new auto-html-escaping facility. Maybe the @{} notation should always do html escaping when executing a template where the response has a text/html contentType.
>>
>> To unsubscribe from this bug, go to:
>> https://bugs.launchpad.net/play/+bug/509259/+subscribe
>>
>
> --
> Easier html escaping with @@ annotation
> https://bugs.launchpad.net/bugs/509259
> You received this bug notification because you are subscribed to play
> framework.
>

Revision history for this message
gimenete (gimenete) wrote :
Download full text (4.4 KiB)

Yes, it's true for any XML-like language, because <, > and & are
reserved characters.

You cannot use:

<p>Ey, 1 is < 2 & 2 is > 1</p>

The same is true in element attributes such as href, src, etc.

On Mon, Jan 18, 2010 at 7:31 PM, Guillaume Bort
<email address hidden> wrote:
> Is it also true in HTML5 ?
>
> On Mon, Jan 18, 2010 at 7:23 PM, gimenete <email address hidden> wrote:
>> That's great. It works!
>>
>> The point is that maybe that should be the default behaviour. I'm not
>> sure, because is not true for plain text mail templates, but is almost
>> always true everytime in html templates.
>>
>> Thank you Guillaume.
>>
>>
>> On Mon, Jan 18, 2010 at 7:09 PM, Guillaume Bort
>> <email address hidden> wrote:
>>> Can you test with:
>>>
>>> <a href="@{Application.index('foo', 'bar').escape()}">click</a> ?
>>>
>>> On Mon, Jan 18, 2010 at 6:53 PM, gimenete <email address hidden> wrote:
>>>> Public bug reported:
>>>>
>>>> Currently the correct way to generate an URL pointing to a controller in
>>>> play! is the following:
>>>>
>>>> <a href="${actionBridge.Application.index('foo', 'bar').url.escapeHtml()
>>>> }">click</a>
>>>>
>>>> The problem with @{} or @@{} is that it doesn't escape the HTML output.
>>>> So if you have a controller that needs two arguments in the query string
>>>> of the URL, with @{} you get something like this:
>>>>
>>>> <a href="/?b=bar&a=foo">click</a>
>>>>
>>>> Which is wrong becuse the ampersand is not escaped to &amp;
>>>>
>>>> So the correct way is to use ${actionBridge.xxxx.url.escapeHtml()} which
>>>> is too verbose.
>>>>
>>>> I suggest something like the new auto-html-escaping facility. Maybe the
>>>> @{} notation should always do html escaping when executing a template
>>>> where the response has a text/html contentType.
>>>>
>>>> ** Affects: play
>>>>     Importance: Undecided
>>>>         Status: New
>>>>
>>>> --
>>>> Easier html escaping with @@ annotation
>>>> https://bugs.launchpad.net/bugs/509259
>>>> You received this bug notification because you are subscribed to play
>>>> framework.
>>>>
>>>
>>> --
>>> Easier html escaping with @@ annotation
>>> https://bugs.launchpad.net/bugs/509259
>>> You received this bug notification because you are a direct subscriber
>>> of the bug.
>>>
>>> Status in play framework: New
>>>
>>> Bug description:
>>> Currently the correct way to generate an URL pointing to a controller in play! is the following:
>>>
>>> <a href="${actionBridge.Application.index('foo', 'bar').url.escapeHtml() }">click</a>
>>>
>>> The problem with @{} or @@{} is that it doesn't escape the HTML output. So if you have a controller that needs two arguments in the query string of the URL, with @{} you get something like this:
>>>
>>> <a href="/?b=bar&a=foo">click</a>
>>>
>>> Which is wrong becuse the ampersand is not escaped to &amp;
>>>
>>> So the correct way is to use ${actionBridge.xxxx.url.escapeHtml()} which is too verbose.
>>>
>>> I suggest something like the new auto-html-escaping facility. Maybe the @{} notation should always do html escaping when executing a template where the response has a text/html contentType.
>>>
>>> To unsubscribe from this bug, go to:
>>> https://bugs.launchpad.net/pla...

Read more...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.