Simon Willison’s Weblog

Likewise, I've been banging this drum for some time...

P.S. Could you accept UTF-8 in your comments rather than ASCII? I can't type a proper ellipsis. And using character references causes a 500 error. Thanks.

Dominic Mitchell - 15th April 2007 21:38 - #

Part of the problem is that often templating languages try to serve multiple masters. If you're a generic ("text") templating language, you may feel its dirty to special-case HTML.

There are also at least two major contexts in which you need to escape in HTML - in text between tags, and in attributes on a tag. Sure, there may be a way to handle both at the same time, but it seems a very inelegant solution.

XML-based templating languages (like Genshi) solve most of this problem correctly - because they don't need to serve other masters. Even if you're not outputting XML/XHTML, at least you're inputting the data correctly into the data structure that is going to generate the output. (The output will be "correct", even if it doesn't quite look like you want it to...)

Their major downside is that they really make it hard for you to do "wrong" things (at least, according to XML) that may be necessary in reality.

(The other "downside" of having to learn two templating languages - ie, another for non-XML/HTML - isn't much of a downside.)

Neil Blakey-Milner - 15th April 2007 21:43 - #

It seems there is some movement on this with Django:
http://code.djangoproject.com/wiki/AutoEscapingPro posals

Jeremy Dunck - 19th April 2007 14:35 - #