[racket] Web application question.

From: Danny Yoo (dyoo at cs.wpi.edu)
Date: Mon Jan 16 20:16:18 EST 2012

> Can someone tell me, is there some advantage or added funtionality in using
> the @syntax in a template over the first example using quosiquotes?

Section 7.4 of the Web Server docs shows a difference:


A version with quasiquotes is more resistant to injection attack
because it represents structure directly in the s-expression
structure.  If you plug an arbitrary string into a-name in the
s-expression example, it shouldn't ever screw up the structure of the
resulting html response.

In contrast, templates do not guarantee that their expansions are
well-formed, so inadvertent structure might be introduced via an
injection attack unless you've taken precautions.  Plug in something
in a-name that includes HTML tag content, and you'll see interesting

Posted on the users mailing list.