Skip to main content

Bug Tracker

Side navigation

#7199 closed bug (duplicate)

Opened October 15, 2010 11:28AM UTC

Closed March 04, 2011 08:08PM UTC

Last modified March 13, 2012 07:53PM UTC

jQuery templating plug-in incorrect HTML encoding

Reported by: anonymous Owned by: BorisMoore
Priority: low Milestone:
Component: templates Version: 1.4.3
Keywords: ampersand templating Cc:
Blocked by: Blocking:
Description

templating plugin doesn't encode '&' character. When I have following text in data object: ' ', templating plug-in renders whitespace instead of this string.

jquery.tmpl.js contains following comment in 'encode' function:

// Do HTML encoding replacing < > & and ' and " by corresponding entities.

But no manipulation with '&' character exists:

return ("" + text).split("<").join("<").split(">").join(">").split('"').join(""").split("'").join("'");

Attachments (0)
Change History (7)

Changed October 15, 2010 05:31PM UTC by snover comment:1

component: unfiledtemplates
priority: undecidedblocker
status: newopen

Changed October 16, 2010 02:12AM UTC by addyosmani comment:2

keywords: → ampersand templating
priority: blockerlow
resolution: → worksforme
status: openclosed

  is a non-breaking space (html entity). If you're trying to get the ampersand character to work, rather than including it in a reference to  , simply try using & instead and it should render fine.

If otherwise you are actually trying to render the complete string   to be interpreted literally, you could probably do something like &nbsp; instead.

Changed October 16, 2010 10:30AM UTC by anonymous comment:3

Replying to [comment:2 addyosmani]:

  is a non-breaking space (html entity). If you're trying to get the ampersand character to work, rather than including it in a reference to  , simply try using & instead and it should render fine. If otherwise you are actually trying to render the complete string   to be interpreted literally, you could probably do something like &nbsp; instead.

As I understand only {{html}} template tag should render unencoded HTML text. ${} tag should escape values. As you described,   is HTML entity and it should be encoded into plain text. All '&' characters should be encoded in this plug-in, not on server side. Otherwise ${} will render "half-encoded" text (without tags but with HTML entities). To prevent XSS attacks all of these characters should be escaped: ", ', <, >, &.

Changed December 16, 2010 07:32PM UTC by BorisMoore comment:4

milestone: 1.4.4
resolution: worksforme
status: closedreopened

Changed December 16, 2010 07:32PM UTC by BorisMoore comment:5

owner: → BorisMoore
status: reopenedassigned

I'll look at this.

Changed February 14, 2011 01:06PM UTC by jonathan.protzenko@gmail.com comment:6

I've uploaded a testcase (reduced) at http://jonathan.protzenko.free.fr/jquery-tmpl/t.xhtml .

The thing is, simply using ${t} within the template when t = "&" makes the ultimate .innerHTML call fail, because ampersands simply are not encoded properly. When the document happens to be XML, this is fatal. This is especially painful for XML+XHTML documents, because that makes the whole thing a syntax error, and the templating fails.

As a side note, I have a very good reason for using strict XML, so switching to a non-XML document is not a solution.

Changed March 04, 2011 08:08PM UTC by BorisMoore comment:7

resolution: → duplicate
status: assignedclosed

Resolving as dup of the new issue I created for this here:

https://github.com/jquery/jquery-tmpl/issues/79

We will be using the Issue tracker for jQuery Template bugs...