Ticket #7199 (closed bug: duplicate)
jQuery templating plug-in incorrect HTML encoding
| Reported by: | anonymous | Owned by: | BorisMoore |
|---|---|---|---|
| Priority: | low | Milestone: | |
| Component: | templates | Version: | 1.4.3 |
| Keywords: | ampersand templating | Cc: | |
| Blocking: | Blocked by: |
Description
templating plugin doesn't encode '&' character. When I have following text in data object: ' ', templating plug-in renders whitespace instead of this string.
jquery.tmpl.js contains following comment in 'encode' function: Do HTML encoding replacing < > & and ' and " by corresponding entities. But no manipulation with '&' character exists: return ("" + text).split("<").join("<").split(">").join(">").split('"').join(""").split("'").join("'");
Change History
comment:1 Changed 3 years ago by snover
- Priority changed from undecided to blocker
- Status changed from new to open
- Component changed from unfiled to templates
comment:2 follow-up: ↓ 3 Changed 3 years ago by addyosmani
- Keywords ampersand templating added
- Priority changed from blocker to low
- Status changed from open to closed
- Resolution set to worksforme
is a non-breaking space (html entity). If you're trying to get the ampersand character to work, rather than including it in a reference to , simply try using & instead and it should render fine.
If otherwise you are actually trying to render the complete string to be interpreted literally, you could probably do something like &nbsp; instead.
comment:3 in reply to: ↑ 2 Changed 3 years ago by anonymous
Replying to addyosmani:
is a non-breaking space (html entity). If you're trying to get the ampersand character to work, rather than including it in a reference to , simply try using & instead and it should render fine.
If otherwise you are actually trying to render the complete string to be interpreted literally, you could probably do something like &nbsp; instead.
As I understand only {{html}} template tag should render unencoded HTML text. ${} tag should escape values. As you described, is HTML entity and it should be encoded into plain text. All '&' characters should be encoded in this plug-in, not on server side. Otherwise ${} will render "half-encoded" text (without tags but with HTML entities). To prevent XSS attacks all of these characters should be escaped: ", ', <, >, &.
comment:4 Changed 3 years ago by BorisMoore
- Status changed from closed to reopened
- Resolution worksforme deleted
- Milestone 1.4.4 deleted
comment:5 Changed 3 years ago by BorisMoore
- Owner set to BorisMoore
- Status changed from reopened to assigned
I'll look at this.
comment:6 Changed 2 years ago by jonathan.protzenko@…
I've uploaded a testcase (reduced) at http://jonathan.protzenko.free.fr/jquery-tmpl/t.xhtml .
The thing is, simply using ${t} within the template when t = "&" makes the ultimate .innerHTML call fail, because ampersands simply are not encoded properly. When the document happens to be XML, this is fatal. This is especially painful for XML+XHTML documents, because that makes the whole thing a syntax error, and the templating fails.
As a side note, I have a very good reason for using strict XML, so switching to a non-XML document is not a solution.
comment:7 Changed 2 years ago by BorisMoore
- Status changed from assigned to closed
- Resolution set to duplicate
Resolving as dup of the new issue I created for this here: https://github.com/jquery/jquery-tmpl/issues/79 We will be using the Issue tracker for jQuery Template bugs...
Please follow the bug reporting guidlines and use jsFiddle when providing test cases and demonstrations instead of pasting the code in the ticket.