[racket] Web application question.

From: Danny Yoo (dyoo at cs.wpi.edu)
Date: Mon Jan 16 20:16:18 EST 2012

> Can someone tell me, is there some advantage or added funtionality in using
> the @syntax in a template over the first example using quosiquotes?

Section 7.4 of the Web Server docs shows a difference:

    http://docs.racket-lang.org/web-server/templates.html#(part._.Escaping)

A version with quasiquotes is more resistant to injection attack
because it represents structure directly in the s-expression
structure.  If you plug an arbitrary string into a-name in the
s-expression example, it shouldn't ever screw up the structure of the
resulting html response.

In contrast, templates do not guarantee that their expansions are
well-formed, so inadvertent structure might be introduced via an
injection attack unless you've taken precautions.  Plug in something
in a-name that includes HTML tag content, and you'll see interesting
things.


Posted on the users mailing list.