Side navigation
#7199 closed bug (duplicate)
Opened October 15, 2010 11:28AM UTC
Closed March 04, 2011 08:08PM UTC
Last modified March 13, 2012 07:53PM UTC
jQuery templating plug-in incorrect HTML encoding
| Reported by: | anonymous | Owned by: | BorisMoore |
|---|---|---|---|
| Priority: | low | Milestone: | |
| Component: | templates | Version: | 1.4.3 |
| Keywords: | ampersand templating | Cc: | |
| Blocked by: | Blocking: |
Description
templating plugin doesn't encode '&' character. When I have following text in data object: ' ', templating plug-in renders whitespace instead of this string.
jquery.tmpl.js contains following comment in 'encode' function:
// Do HTML encoding replacing < > & and ' and " by corresponding entities.
But no manipulation with '&' character exists:
return ("" + text).split("<").join("<").split(">").join(">").split('"').join(""").split("'").join("'");
Attachments (0)
Change History (7)
Changed October 15, 2010 05:31PM UTC by comment:1
| component: | unfiled → templates |
|---|---|
| priority: | undecided → blocker |
| status: | new → open |
Changed October 16, 2010 02:12AM UTC by comment:2
| keywords: | → ampersand templating |
|---|---|
| priority: | blocker → low |
| resolution: | → worksforme |
| status: | open → closed |
is a non-breaking space (html entity). If you're trying to get the ampersand character to work, rather than including it in a reference to , simply try using & instead and it should render fine.
If otherwise you are actually trying to render the complete string to be interpreted literally, you could probably do something like instead.
Changed October 16, 2010 10:30AM UTC by comment:3
Replying to [comment:2 addyosmani]:
is a non-breaking space (html entity). If you're trying to get the ampersand character to work, rather than including it in a reference to , simply try using & instead and it should render fine. If otherwise you are actually trying to render the complete string to be interpreted literally, you could probably do something like instead.
As I understand only {{html}} template tag should render unencoded HTML text. ${} tag should escape values. As you described, is HTML entity and it should be encoded into plain text. All '&' characters should be encoded in this plug-in, not on server side. Otherwise ${} will render "half-encoded" text (without tags but with HTML entities). To prevent XSS attacks all of these characters should be escaped: ", ', <, >, &.
Changed December 16, 2010 07:32PM UTC by comment:4
| milestone: | 1.4.4 |
|---|---|
| resolution: | worksforme |
| status: | closed → reopened |
Changed December 16, 2010 07:32PM UTC by comment:5
| owner: | → BorisMoore |
|---|---|
| status: | reopened → assigned |
I'll look at this.
Changed February 14, 2011 01:06PM UTC by comment:6
I've uploaded a testcase (reduced) at http://jonathan.protzenko.free.fr/jquery-tmpl/t.xhtml .
The thing is, simply using ${t} within the template when t = "&" makes the ultimate .innerHTML call fail, because ampersands simply are not encoded properly. When the document happens to be XML, this is fatal. This is especially painful for XML+XHTML documents, because that makes the whole thing a syntax error, and the templating fails.
As a side note, I have a very good reason for using strict XML, so switching to a non-XML document is not a solution.
Changed March 04, 2011 08:08PM UTC by comment:7
| resolution: | → duplicate |
|---|---|
| status: | assigned → closed |
Resolving as dup of the new issue I created for this here:
https://github.com/jquery/jquery-tmpl/issues/79
We will be using the Issue tracker for jQuery Template bugs...