Html Entities (→)

[robacarp]

The crystal HTML.escape which blueprint uses isn't as smart as it could be. It'll stubbornly re-escape things which are already escaped:

"Before: → and After: #{HTML.escape("→")}"
#=> "Before: → and After: →"

Rails provides something clever which will only escape things which don't appear to already be escaped:

escape_once("1 < 2 &amp; 3")
# => "1 &lt; 2 &amp; 3"

escape_once("&lt;&lt; Accept & Checkout")
# => "&lt;&lt; Accept &amp; Checkout"

This functionality exists on top of the ruby escape functionality, which is almost certainly what Crystal's is based off of.

For now, I'm able to render an html entity manually in blueprint with raw safe "←" -- but that'll get significantly more complicated if I have markdown content with html entities encoded in it already.

[stephannv]

I will investigate this issue. I tried to replicate the Rails behavior:

HTML_ESCAPE = {
  "&" => "&",
  ">" => ">",
  "<" => "&lt;",
  %(") => "&quot;",
  "'" => "&#39;"
}
HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/

value.gsub(HTML_ESCAPE_ONCE_REGEXP, HTML_ESCAPE)

But Blueprint got much more slower than using HTML.escape (on benchmark it went from 8x slower than ECR to 14x slower). I will need tweak some things, eg. use faster escaping for attribute values and use this escape_once behavior for content.

[stephannv]

@robacarp what do you think about #83 ?

I kept the default Crystal escaper and added a new one that you can use through the escape_once helper.

Usage:

def blueprint
  plain escape_once("1 < 2 &amp; 3")
  
  span { escape_once("&lt;&lt; Accept & Checkout") }
  
  div escape_once("1 < 2 &amp; 3")
end

Results:

1 < 2 & 3

<span>&lt;&lt; Accept &amp; Checkout</span>

<div>1 &lt; 2 &amp; 3</div>

[robacarp]

I'm in favor -- it seems like it plays nicely with the existing safety framework too, which is great. I wonder if this should be a crystal stdlib feature?

[stephannv]

Thanks for the feedback. escape_once is live on 0.11.0

I'm not sure about how the core team decide what should be part of stdlib or not, but since it is just 3 lines, it is easy to implement it by ourselves. But if other languages have this feat built in, it should easier to convince core team members to accept the proposal.

[robacarp]

amazing, thank you!