<html lang="en"><body>Hello, world</body></html>
```
-If the text is multi-line, backquoted (template) strings are be used, to allow
+If the text is multi-line, backquoted (template) strings are used, to allow
embedded newlines. When the entire text is held in a variable, e.g. `myvar`, a
template string such as ```${myvar}``` should be used, to convert it into a
standalone statement consisting of only a string constant, and hence into HTML.
each output fragment (such as an opening or closing tag or an embedded string)
is generated, it will be sent to the output buffer by an `_out.push(...)` call.
-If there is dynamically generated text in the template, then there must be a
-function `_html_escape()` provided in the current scope, that escapes the text.
+If there is dynamically generated text in the template, then it will be esacped
+by the sequence `.replace("&", "&").replace("<", "<")`, this is chosen
+so that no external dependency such as the `html-entities` package is needed,
+and so that unnecessary escaping of characters such as `'` or `>` is not done.
+Attributes are done similarly, except that `"` is replaced instead of `<`. We
+assume a `UTF-8` environment, so there is really little need for HTML entities.
-For example, consider a realistic template which we use on a our demo server:
+For example, consider a realistic template which we use on our demo server:
```
html(lang=lang) {
head {
This compiles to the following plain JavaScript code:
```
-_out.push("<html lang=\"" + _html_escape(lang.toString()) + "\">");
+_out.push("<html lang=\"" + lang.toString().replace("&", "&").replace("\"", """) + "\">");
{
_out.push("<head>");
_out.push("<link rel=\"stylesheet\" type=\"text/css\" href=\"css/styles.css\">");
_out.push("<body>");
{
_out.push("<p>");
- _out.push(_html_escape(`Hello, ${name}`));
+ _out.push(`Hello, ${name}`.replace("&", "&").replace("<", "<"));
_out.push("</p>");
}
_out.push("</body>");
let astring = require('astring')
let disk_build = require('@ndcode/disk_build')
let fs = require('fs')
-let html_escape = require('html-escape')
let path = require('path')
let transform = require('./transform')
let visitors = require('./visitors')
let jst = (pathname, root, args) => /*await*/ build_cache.get(
pathname,
async result => {
- let arg_names = ['_require', '_html_escape', '_pathname', '_root']
+ let arg_names = ['_require', '_pathname', '_root']
let arg_values = [
async require_pathname => {
let temp = path.posix.dirname(pathname)
require_pathname = path.posix.resolve(temp, require_pathname)
return jst(require_pathname, root, args)
},
- html_escape,
pathname,
root
]
"@ndcode/disk_build": "^0.1.0",
"assert": "^1.4.1",
"astring": "^1.3.1",
- "html-escape": "^2.0.0",
"rollup": "^0.45.0",
"rollup-plugin-buble": "^0.16.0",
"uglify-es": "^3.3.9"
// Nick
import CleanCSS from "@ndcode/clean-css"
-import html_escape from "html-escape"
let clean_css = new CleanCSS()
const pp = Parser.prototype
type: 'ExpressionStatement',
expression: {
type: 'Literal',
- value: html_escape(render.styles)
+ value: render.styles // we simply assume it does not contain </style> tags, should HTML escape it??
}
}
]
let astring = require('astring')
let transform = require('./transform')
let uglify_es = require('uglify-es')
-let html_escape = require('html-escape')
let expr_to_tag = (node, context, html_allowed, call_allowed) => {
if (node.type === 'Identifier')
if (value_expr !== undefined) {
prefix += '="'
if (value_expr.type === 'Literal')
- prefix += html_escape(value_expr.value)
+ prefix +=
+ value_expr.value
+ .toString()
+ .replace('&', '&')
+ .replace('"', '"')
else {
let expr1 = {
type: 'Literal',
right: {
type: 'CallExpression',
callee: {
- type: 'Identifier',
- name: '_html_escape'
- },
- arguments: [
- {
+ type: 'MemberExpression',
+ object: {
type: 'CallExpression',
callee: {
type: 'MemberExpression',
- object: value_expr,
+ object: {
+ type: 'CallExpression',
+ callee: {
+ type: 'MemberExpression',
+ object: value_expr,
+ property: {
+ type: 'Identifier',
+ name: 'toString'
+ },
+ computed: false
+ },
+ arguments: [
+ ]
+ },
property: {
type: 'Identifier',
- name: 'toString'
+ name: 'replace'
},
computed: false
},
arguments: [
+ {
+ type: 'Literal',
+ value: '&'
+ },
+ {
+ type: 'Literal',
+ value: '&'
+ }
]
+ },
+ property: {
+ type: 'Identifier',
+ name: 'replace'
+ },
+ computed: false
+ },
+ arguments: [
+ {
+ type: 'Literal',
+ value: '"'
+ },
+ {
+ type: 'Literal',
+ value: '"'
}
]
}
)
if (render.error)
throw render.error
- prefix += render.code
+ prefix += render.code // we simply assume it does not contain </script> tags, should HTML escape it?
}
else if (body.length !== 0) {
let expr1 = {
arguments: [
{
type: 'Literal',
- value: html_escape(node.expression.value.toString())
+ value:
+ node.expression.value
+ .toString()
+ .replace('&', '&')
+ .replace('<', '<')
}
]
}
{
type: 'CallExpression',
callee: {
- type: 'Identifier',
- name: '_html_escape'
+ type: 'MemberExpression',
+ object: {
+ type: 'CallExpression',
+ callee: {
+ type: 'MemberExpression',
+ object: c(node.expression, st, 'Expression'),
+ property: {
+ type: 'Identifier',
+ name: 'replace'
+ },
+ computed: false
+ },
+ arguments: [
+ {
+ type: 'Literal',
+ value: '&'
+ },
+ {
+ type: 'Literal',
+ value: '&'
+ }
+ ]
+ },
+ property: {
+ type: 'Identifier',
+ name: 'replace'
+ },
+ computed: false
},
arguments: [
- c(node.expression, st, 'Expression')
+ {
+ type: 'Literal',
+ value: '<'
+ },
+ {
+ type: 'Literal',
+ value: '<'
+ }
]
}
]