Avoiding HTML escaping

318 views
Skip to first unread message

Baishampayan Ghose

unread,
Aug 26, 2011, 9:55:03 AM8/26/11
to Enlive Clojure
Hi,

I need to set the `src` attr of a <script> tag and the `src` attr
looks like "http://yahoo.com/?x=1&y=2". Right now, the string is
getting escaped and that's causing problems. I remember that the old
Enlive has a function called `escaped` which would avoid further
escaping, but that's gone now after the refactoring.

Is there any idiomatic way to avoid escaping of certain strings in
Enlive? Hacky solutions are welcome as well :-)

Regards,
BG

--
Baishampayan Ghose
b.ghose at gmail.com

Justin

unread,
Sep 24, 2011, 1:23:28 AM9/24/11
to Enlive
I also need a solution to this. What's the best way to have en live
not escape something? Any help would be greatly appreciated.

Justin

unread,
Sep 24, 2011, 1:21:59 AM9/24/11
to Enlive
I also would like need a solution to this. What's the best way to tell
enlive not to escape something? Sorry I'm kind of new to this. Any
advice would be greatly appreciated.

On Aug 26, 6:55 am, Baishampayan Ghose <b.gh...@gmail.com> wrote:

Nandan Bagchee

unread,
Sep 24, 2011, 9:14:28 PM9/24/11
to enliv...@googlegroups.com

I also would like need a solution to this. What's the best way to tell
enlive not to escape something? Sorry I'm kind of new to this. Any
advice would be greatly appreciated.


I don't know what the best way is, but take a look at this commit, that's what we're using.

Christophe Grand

unread,
Sep 26, 2011, 5:05:48 AM9/26/11
to enliv...@googlegroups.com
Hi all,

This topic is becoming hot.

First, I'd like to know which software mishandle ampersand escaping in attributes values.
Second I have to acknowledge that some software is broken and give a way to fix that.

<a href="http://yahoo.com/?x=1&y=2">...</a> is theoretically valid only in HTML5.

Are the three of us experiencing troubles only with ampersands in attributes or do you really want to insert random strings in the middle of a template's output? In the latter case I'd like to know more on your whole setup and deciding if a facility to insert random output needs to be added back.

Anyway I acknowledge that the serialization mechanism needs to be tunable (at least two options: xml-strict and html5+non-ambiguous amersand+style/script at least).

Now, hide the kids, use at your own risks, I make no promise in maintinng compatibility with that etc. the hacky solution:
=> (defn raw [s]
     (vary-meta {:tag :xyzzy :content []}
       assoc-in [::h/annotations :emit] (fn [_ etc] (cons s etc))))
#'user/raw
=> (h/emit* {:tag :div :content ["&" (raw "&")]})
("<" "div" ">" "&amp;" "&" "</" "div" ">")

It doesn't work at the attribute level so you have to generate the whole element by yourself.

And please give me more context on your actual needs and problems towards escaping.

Christophe

--
You received this message because you are subscribed to the Google Groups "Enlive" group.
To post to this group, send email to enliv...@googlegroups.com.
To unsubscribe from this group, send email to enlive-clj+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/enlive-clj?hl=en.



--
Professional: http://cgrand.net/ (fr)
On Clojure: http://clj-me.cgrand.net/ (en)

Nandan Bagchee

unread,
Sep 26, 2011, 6:06:00 AM9/26/11
to enliv...@googlegroups.com
<a href="http://yahoo.com/?x=1&y=2">...</a> is theoretically valid only in HTML5.


We're using this to insert script tag attributes that hit up yahoo's servers for combined js files. Example:


versus

<script class="z_yui" src="http://yui.yahooapis.com/combo?3.3.0/build/yui/yui-min.js&3.3.0/build/loader/loader-min.js" type="text/javascript"></script>

 
Are the three of us experiencing troubles only with ampersands in attributes or do you really want to insert random strings in the middle of a template's output?

Only ampersands in attributes, and only for inserting versioned/combined javascript (eg foo.com/?f.js&version=2211)

Anyway I acknowledge that the serialization mechanism needs to be tunable (at least two options: xml-strict and html5+non-ambiguous amersand+style/script at least).

That would be great, but at present our need is limited to script tags.
  

Christophe Grand

unread,
Sep 26, 2011, 9:02:01 AM9/26/11
to enliv...@googlegroups.com
On Mon, Sep 26, 2011 at 12:06 PM, Nandan Bagchee <nandan....@gmail.com> wrote:
<a href="http://yahoo.com/?x=1&y=2">...</a> is theoretically valid only in HTML5.


We're using this to insert script tag attributes that hit up yahoo's servers for combined js files. Example:


versus

<script class="z_yui" src="http://yui.yahooapis.com/combo?3.3.0/build/yui/yui-min.js&3.3.0/build/loader/loader-min.js" type="text/javascript"></script>

Which browsers are choking on the &amp; ?

Nandan Bagchee

unread,
Oct 4, 2011, 3:34:21 AM10/4/11
to enliv...@googlegroups.com


<script class="z_yui" src="http://yui.yahooapis.com/combo?3.3.0/build/yui/yui-min.js&3.3.0/build/loader/loader-min.js" type="text/javascript"></script>

Which browsers are choking on the &amp; ?

 

Chrome 15+ and Firefox 6
Sorry for the late reply.

Christophe Grand

unread,
Oct 7, 2011, 2:50:08 AM10/7/11
to enliv...@googlegroups.com
I created a test page and it works fine for me on FF6 and Chrom 14 well I just test that the script is actually loaded: alert(YUI !== undefined) reports true.
Which doctype are you using?


--
You received this message because you are subscribed to the Google Groups "Enlive" group.
To post to this group, send email to enliv...@googlegroups.com.
To unsubscribe from this group, send email to enlive-clj+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/enlive-clj?hl=en.

Christophe Grand

unread,
Nov 24, 2011, 12:03:30 PM11/24/11
to enliv...@googlegroups.com
Hi,

I haven't had time to work on it or even to reproduce the bug but I have to acknowledge that some implementations are broken and need malformed html to work.

So the idea is to add a new unsafe-string function (and certainly the corresponding type) and to modify xml-str and attr-str to recognize unsafe-strings -- this can be part of the effort for a better emit and a less hacky representations of comments (hint: defrecord).

I don't clearly remember your current fix Nandan but I think it relied on custome attributes.

Christophe
Reply all
Reply to author
Forward
0 new messages