[racket] Escaping things in templates?

From: Michael W (mwilber at uccs.edu)
Date: Sat Oct 22 22:38:47 EDT 2011

Hello! Thanks for making racket! It's the coolest.

The web server template documentation:
http://docs.racket-lang.org/web-server/templates.html has several
great examples of templates, but it doesn't mention whether
strings included in templates are entity-escaped XML or not.

More seriously, searching for "escape" in the help desk doesn't
even mention anything useful. It looks like the only way of
creating templates that escape the variables included in them is
by adding (require xml/private/writer) to the top of your script
and saying @escape[foo escape-table] every single time you use a
variable in your templates! Surely there must be a better way?

Am I doing it wrong? Take a look at this simple servlet, which
simply spits out what you type in a form:
https://gist.github.com/1306759 Try typing <u>test</u> for
example, or perhaps some javascript.

Certain web frameworks try to implicitly protect you from these
kinds of mistakes. Take Django, for example.
The Django team are so upfront about their template system's
escaping behavior that it's literally the first thing they
mention in the first section of their documentation.

Other template systems intentionally make it harder to include
unescaped content by using syntactic differentiation. Mustache,
for example, requires you to use triple braces like
{{{some-input}}} if you want to include some-input as unescaped.

What's the best way of solving this? Obviously we can't change
scribble, but could we have, say, (include-template) add an
@escape[...] function to the namespace just before it evaluates
the template?

If I'm missing something, please feel free to flame away. ;) If
not, I'd love to help fix this by writing a patch or some
documentation or something.

Thanks again for such a nice framework.

For the Future!

Posted on the users mailing list.