[racket] Web application question. [and 1 more messages]

From: Eli Barzilay (eli at barzilay.org)
Date: Fri Feb 3 10:03:27 EST 2012

About three weeks ago, Danny Yoo wrote:
> > Can someone tell me, is there some advantage or added funtionality
> > in using the @syntax in a template over the first example using
> > quosiquotes?
> 
> Section 7.4 of the Web Server docs shows a difference:
> 
>     http://docs.racket-lang.org/web-server/templates.html#(part._.Escaping)
> 
> A version with quasiquotes is more resistant to injection attack
> because it represents structure directly in the s-expression
> structure.  If you plug an arbitrary string into a-name in the
> s-expression example, it shouldn't ever screw up the structure of
> the resulting html response.

That is completely incorrect.  There is nothing special about
quasiquotes that makes them more resistant to injection over any kind
of other templates.  The thing that *does* matter is whether your
templating tool escapes things that should be text or not.  It would
be easy to make up an alternate language where things do get escaped,
and it would be easy to have an alternate xexpr that doesn't escape
strings.


About three weeks ago, Neil Van Dyke wrote:
> If you want something a third option: 
> http://www.neilvandyke.org/racket-html-template/

You should really use the at-exp language.

-- 
          ((lambda (x) (x x)) (lambda (x) (x x)))          Eli Barzilay:
                    http://barzilay.org/                   Maze is Life!

Posted on the users mailing list.