[Proposal] Adding safe HTML templating to EEx

107 views

Skip to first unread message

Peter Saxton

unread,

Sep 12, 2018, 2:32:51 AM9/12/18

to elixir-lang-core

There has already been a small discussion around this topic on a phoenix HTML issue here.

I wanted to finish the discussion here so that there was a single point of reference.

Rational for this proposal is EEx templates are not safe when embedding user data in HTML content

and reinventing functionality that is security critical is not good for the community.

Current solutions are Phoenix.HTML templates and Plug.HTML.html_escape.

As I see it.

- Plug is ubiquitous enough to be part of 99% of web based projects, however using html_escape is opt in.

i.e. you have to remember to escape every piece of risky content.

As an example of this Maru has a method to set html, but does not make any mention of the need to manage escaping.

- Phoenix.HTML templates are a sufficient solution but not going to be part of all of projects.

- I'm not sure about this but generating HTML emails should probably also be safe.

Pros

- Making good security as easily accessible as possible

Cons

- Increasing scope of core

I think Pro outweighs cons.

As I have needed this in my own project I have build `eex_html`.

This proposal would be to merge that library into core (renaming `EExHTML` to `EEx.HTML`)

https://hexdocs.pm/eex_html/EExHTML.html

José Valim

unread,

Sep 12, 2018, 3:00:14 AM9/12/18

to elixir-l...@googlegroups.com

Elixir today does not care or know anything about HTML - and it has no reason to. EEx is already extensible enough for people to build their own engines and that is what Elixir should focus on.

Furthermore, it doesn't scale if the solution of unifying implementations in the community is to "add them to the language". The focus should not be on core, but in the ecosystem: https://elixir-lang.org/development.html

Thanks for your proposal.

José Valim

www.plataformatec.com.br

Skype: jv.ptec

Founder and Director of R&D

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-lang-core+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/c57d53f7-0437-4042-acba-440c6b3d03db%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages