#7199 closed bug (duplicate)
jQuery templating plug-in incorrect HTML encoding
| Reported by: | anonymous | Owned by: | BorisMoore |
|---|---|---|---|
| Priority: | low | Milestone: | |
| Component: | templates | Version: | 1.4.3 |
| Keywords: | ampersand templating | Cc: | |
| Blocked by: | Blocking: |
Description
templating plugin doesn't encode '&' character. When I have following text in data object: ' ', templating plug-in renders whitespace instead of this string.
jquery.tmpl.js contains following comment in 'encode' function: Do HTML encoding replacing < > & and ' and " by corresponding entities. But no manipulation with '&' character exists: return ("" + text).split("<").join("<").split(">").join(">").split('"').join(""").split("'").join("'");
Change History (7)
comment:1 Changed 12 years ago by
| Component: | unfiled → templates |
|---|---|
| Priority: | undecided → blocker |
| Status: | new → open |
comment:2 follow-up: 3 Changed 12 years ago by
| Keywords: | ampersand templating added |
|---|---|
| Priority: | blocker → low |
| Resolution: | → worksforme |
| Status: | open → closed |
comment:3 Changed 12 years ago by
Replying to addyosmani:
is a non-breaking space (html entity). If you're trying to get the ampersand character to work, rather than including it in a reference to , simply try using & instead and it should render fine.
If otherwise you are actually trying to render the complete string to be interpreted literally, you could probably do something like &nbsp; instead.
As I understand only {{html}} template tag should render unencoded HTML text. ${} tag should escape values. As you described, is HTML entity and it should be encoded into plain text. All '&' characters should be encoded in this plug-in, not on server side. Otherwise ${} will render "half-encoded" text (without tags but with HTML entities). To prevent XSS attacks all of these characters should be escaped: ", ', <, >, &.
comment:4 Changed 12 years ago by
| Milestone: | 1.4.4 |
|---|---|
| Resolution: | worksforme |
| Status: | closed → reopened |
comment:5 Changed 12 years ago by
| Owner: | set to BorisMoore |
|---|---|
| Status: | reopened → assigned |
I'll look at this.
comment:6 Changed 12 years ago by
I've uploaded a testcase (reduced) at http://jonathan.protzenko.free.fr/jquery-tmpl/t.xhtml .
The thing is, simply using ${t} within the template when t = "&" makes the ultimate .innerHTML call fail, because ampersands simply are not encoded properly. When the document happens to be XML, this is fatal. This is especially painful for XML+XHTML documents, because that makes the whole thing a syntax error, and the templating fails.
As a side note, I have a very good reason for using strict XML, so switching to a non-XML document is not a solution.
comment:7 Changed 12 years ago by
| Resolution: | → duplicate |
|---|---|
| Status: | assigned → closed |
Resolving as dup of the new issue I created for this here: https://github.com/jquery/jquery-tmpl/issues/79 We will be using the Issue tracker for jQuery Template bugs...
is a non-breaking space (html entity). If you're trying to get the ampersand character to work, rather than including it in a reference to , simply try using & instead and it should render fine.
If otherwise you are actually trying to render the complete string to be interpreted literally, you could probably do something like &nbsp; instead.