How does blueprint handle escaping html entities?

[robacarp]

I looked briefly at the website https://stephannv.github.io/blueprint-docs/ but didn't see any mention of this. One of the most important things in HTML templating is escaping content which isn't supposed to be HTML. Ruby/ERB has an elegant strategy for this which is transparent to the programmer in most cases, while other languages require a lot of hand-holding to produce safe markup from user-submitted content.

What does blueprint have in this area? How would it handle, eg: p { %|<a onclick="alert('hi')">| }?

[stephannv]

Blueprint escapes all content and attributes when rendering.
On docs: https://stephannv.github.io/blueprint-docs/guides/safety
On code:

• https://github.com/stephannv/blueprint/blob/main/src/blueprint/html/attributes_parser.cr#L29
• https://github.com/stephannv/blueprint/blob/main/src/blueprint/html/content_capture.cr#L6

Tests: https://github.com/stephannv/blueprint/blob/main/spec/blueprint/html/safety_spec.cr

Example:

span { "<script>alert('hello')</script>" }

 input(class: "some-class\" onblur=\"alert('Attribute')")

Output:

<span>&lt;script&gt;alert(&#39;hello&#39;)&lt;/script&gt;</span>

<input class="some-class&quot; onblur=&quot;alert(&#39;Attribute&#39;)">

In the next releases I will allow users to bypass this escaping, something like div { unsafe("<js code here>")

[robacarp]

I would really like to use this, but I do a fair amount of rendering content from the database (markdown, etc). For now I'll stick with ECR, and I look forward to a release that includes a raw/unsafe mode.

[stephannv]

I would really like to use this, but I do a fair amount of rendering content from the database (markdown, etc). For now I'll stick with ECR, and I look forward to a release that includes a raw/unsafe mode.

@robacarp I just added a unsafe_raw util to allow rendering Strings without escaping, so:

div do
  unsafe_raw "<script>Dangerous script</script>"
end

Will output

<div><script>Dangerous script</script></div>

Here the PR: #58

It's available on 0.7.0 version

It's not on docs page yet because I'm updating it right now with all changes since 0.4.0 and the next one (0.8.0).

[stephannv]

I also added a new module Blueprint::RawHTML. It is for those who want to priorize performance over safety or want to render to much raw content. It is 30% faster than Blueprint::HTML but it must be used with great caution.

require "blueprint/raw_html"

class MyHTML
  include Blueprint::RawHTML

  def blueprint
    div "<script>alert('Danger!')</script>" # this will not be escaped
  end
end

MyHTML.new.to_html # => <div><script>alert('Danger!')</script></div>

[stephannv]

Hey @robacarp I just released a 0.8.0 version and there are a few changes. If you want to render content without escaping, you should use #safe indicating to Blueprint that the content don't need to be escaped.
eg.

div { safe("<script>My Script</script>") } # <div><script>My Script</script></div>

raw safe("<script>My Script</script>" # <script>My Script</script>

[robacarp]

@stephannv amazing! thank you!