Bug Tracker

Opened 9 years ago

Closed 8 years ago

Last modified 7 years ago

#7199 closed bug (duplicate)

jQuery templating plug-in incorrect HTML encoding

Reported by: anonymous Owned by: BorisMoore
Priority: low Milestone:
Component: templates Version: 1.4.3
Keywords: ampersand templating Cc:
Blocked by: Blocking:

Description

templating plugin doesn't encode '&' character. When I have following text in data object: ' ', templating plug-in renders whitespace instead of this string.

jquery.tmpl.js contains following comment in 'encode' function: Do HTML encoding replacing < > & and ' and " by corresponding entities. But no manipulation with '&' character exists: return ("" + text).split("<").join("&lt;").split(">").join("&gt;").split('"').join("&#34;").split("'").join("&#39;");

Change History (7)

comment:1 Changed 9 years ago by snover

Component: unfiledtemplates
Priority: undecidedblocker
Status: newopen

comment:2 Changed 9 years ago by addyosmani

Keywords: ampersand templating added
Priority: blockerlow
Resolution: worksforme
Status: openclosed

&nbsp; is a non-breaking space (html entity). If you're trying to get the ampersand character to work, rather than including it in a reference to &nbsp;, simply try using &amp; instead and it should render fine.

If otherwise you are actually trying to render the complete string &nbsp; to be interpreted literally, you could probably do something like &amp;nbsp; instead.

comment:3 in reply to:  2 Changed 9 years ago by anonymous

Replying to addyosmani:

&nbsp; is a non-breaking space (html entity). If you're trying to get the ampersand character to work, rather than including it in a reference to &nbsp;, simply try using &amp; instead and it should render fine.

If otherwise you are actually trying to render the complete string &nbsp; to be interpreted literally, you could probably do something like &amp;nbsp; instead.

As I understand only {{html}} template tag should render unencoded HTML text. ${} tag should escape values. As you described, &nbsp; is HTML entity and it should be encoded into plain text. All '&' characters should be encoded in this plug-in, not on server side. Otherwise ${} will render "half-encoded" text (without tags but with HTML entities). To prevent XSS attacks all of these characters should be escaped: ", ', <, >, &.

comment:4 Changed 9 years ago by BorisMoore

Milestone: 1.4.4
Resolution: worksforme
Status: closedreopened

comment:5 Changed 9 years ago by BorisMoore

Owner: set to BorisMoore
Status: reopenedassigned

I'll look at this.

comment:6 Changed 9 years ago by jonathan.protzenko@…

I've uploaded a testcase (reduced) at http://jonathan.protzenko.free.fr/jquery-tmpl/t.xhtml .

The thing is, simply using ${t} within the template when t = "&" makes the ultimate .innerHTML call fail, because ampersands simply are not encoded properly. When the document happens to be XML, this is fatal. This is especially painful for XML+XHTML documents, because that makes the whole thing a syntax error, and the templating fails.

As a side note, I have a very good reason for using strict XML, so switching to a non-XML document is not a solution.

comment:7 Changed 8 years ago by BorisMoore

Resolution: duplicate
Status: assignedclosed

Resolving as dup of the new issue I created for this here: https://github.com/jquery/jquery-tmpl/issues/79 We will be using the Issue tracker for jQuery Template bugs...

Note: See TracTickets for help on using tickets.