[racket] Web application question. [and 1 more messages]

From: Eli Barzilay (eli at barzilay.org)
Date: Fri Feb 3 15:39:00 EST 2012

A few minutes ago, Michael W wrote:
> 
> I guess you're making the point that quasiquotes in a
> web-server/templates template doesn't protect against injection.

Yes, exactly.  And going back to Harry's question, it was about the
"@syntax", and to be percise, that syntax is independent of anything
else.  For example, here's your code translated to that:

  (let ([user-supplied-input "<script http=\"nasty\">...</script>"])
    (xexpr->string
      @`html{@body{@p{@,user-supplied-input}}}))


> After all, the templates library doesn't explicitly escape anything

Right, and *that's* the important issue.


> whereas xexpr does.

Not xexprs -- the library that is commonly used to spit them out as
xml.

-- 
          ((lambda (x) (x x)) (lambda (x) (x x)))          Eli Barzilay:
                    http://barzilay.org/                   Maze is Life!

Posted on the users mailing list.