Sprockets, JST, Eco and escaping
160 views
Skip to first unread message
Rodrigo Rosenfeld Rosas
May 7, 2012, 3:18:59 PM5/7/12
to rubyonra...@googlegroups.com
While it was a good move from Rails part to escape ERB <%= %>
tags by default, it doesn't seem to happen to Sprockets as well.
The strange bit is that according to Sprockets documentation, it would be just a matter of naming your template as .jst.eco to enable Eco:
https://github.com/sstephenson/sprockets#javascript-templating-with-ejs-and-eco
Then, extracted from Eco documentation:
https://github.com/sstephenson/eco
<%= expression %>: Evaluate a CoffeeScript expression, *escape* its return value, and print it.
It means that by default it should escape "expression". So why isn't escaping happening by default on Rails JST eco templates?
I know about templating alternatives like Handlebars or Knockout, but I actually want to be able to use some ERB-like template.
For example, as far as I could find out Handlebars won't support local helpers for instance. I don't like the idea of polluting the global space with lots of helpers because it would be a mess for me to maintain such code.
Also, I miss an easy way to embed something like products_path in my ECO templates for obvious reasons, but this is a minor issue for me... Escaping is a very important one though.
Thanks in advance,
Rodrigo.
The strange bit is that according to Sprockets documentation, it would be just a matter of naming your template as .jst.eco to enable Eco:
https://github.com/sstephenson/sprockets#javascript-templating-with-ejs-and-eco
Then, extracted from Eco documentation:
https://github.com/sstephenson/eco
<%= expression %>: Evaluate a CoffeeScript expression, *escape* its return value, and print it.
It means that by default it should escape "expression". So why isn't escaping happening by default on Rails JST eco templates?
I know about templating alternatives like Handlebars or Knockout, but I actually want to be able to use some ERB-like template.
For example, as far as I could find out Handlebars won't support local helpers for instance. I don't like the idea of polluting the global space with lots of helpers because it would be a mess for me to maintain such code.
Also, I miss an easy way to embed something like products_path in my ECO templates for obvious reasons, but this is a minor issue for me... Escaping is a very important one though.
Thanks in advance,
Rodrigo.
Rodrigo Rosenfeld Rosas
May 7, 2012, 3:23:28 PM5/7/12
to rubyonra...@googlegroups.com
Sorry, please ignore this message.
It does escape. The problem is that Chrome's inspector won't show them escaped
Sorry, again,
Rodrigo.
It does escape. The problem is that Chrome's inspector won't show them escaped
Sorry, again,
Rodrigo.
Reply all
Reply to author
Forward
0 new messages