Making Jade work for the White House

[Jed Wood]

TJ and Jade Friends-

I'll start with the punchline.

How can I best let PHP tags pass through Jade untouched?

This:

form#new-vendor-form(action="<?php echo route('vendors') ?>", method="POST")

and this:

form#new-vendor-form(action="\<?php echo route('vendors') ?\>", method="POST")

But both result in:

<form id="new-vendor-form" action="&lt;?php echo route('vendors') ?&gt;" method="POST"> 

Could it be as simple as making this line:

https://github.com/visionmedia/jade/blob/master/lib/compiler.js#L652

only escape html tags that don't have the ? before/after them?

Read on for some context.

I'm working on a cool project under the White House CTO that's trying to make it easier for the U.S. government to acquire technology from startups and small tech companies. Unfortunately, we're bound to using PHP for the core of the app. But we're trying to make that as painless as possible. We've got stylus working, and we're using a good framework called Laravel. We put a lot of effort into getting this PHP port of jade integrated and it works okay, but we're running into too many little annoying issues and we'd rather stick with proper Jade if possible.

TJ, hopefully you can help your friends south of the border! :) 

Thanks,

jed wood

[vision media [ Tj Holowaychuk ]]

hey! sounds cool :) there is an (ugly) unescaped attribute syntax the same as regular unescaped buffering:

foo(something!='<val>')

<foo something="<val>">

it's somewhat ugly by-design so it stands out as insecure for user input, we could add additional logic for strings with no js expressions and leave those unescaped but that's not something I've had time to look at, or much of a need personally so it's been really low priority

[Jed Wood]

Thanks TJ. We might give that a shot. Understandable that you wouldn't want to put effort into supporting an edge use case like this.

Cheers,

-Jed