There has already been a small discussion around this topic on a phoenix HTML issue here <https://github.com/phoenixframework/phoenix_html/issues/210>.
I wanted to finish the discussion here so that there was a single point of reference. Rational for this proposal is EEx templates are not safe when embedding user data in HTML content and reinventing functionality that is security critical is not good for the community. Current solutions are Phoenix.HTML templates and Plug.HTML.html_escape. As I see it. - Plug is ubiquitous enough to be part of 99% of web based projects, however using html_escape is opt in. i.e. you have to remember to escape every piece of risky content. As an example of this Maru has a method to set html <https://github.com/elixir-maru/maru/blob/bdbf5f35da88acf9f9e18aeed58d525241d2953b/lib/maru/response.ex#L51-L59>, but does not make any mention of the need to manage escaping. - Phoenix.HTML templates are a sufficient solution but not going to be part of all of projects. - I'm not sure about this but generating HTML emails should probably also be safe. Pros - Making good security as easily accessible as possible Cons - Increasing scope of core I think Pro outweighs cons. As I have needed this in my own project I have build `eex_html`. This proposal would be to merge that library into core (renaming `EExHTML` to `EEx.HTML`) https://hexdocs.pm/eex_html/EExHTML.html -- You received this message because you are subscribed to the Google Groups "elixir-lang-core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/c57d53f7-0437-4042-acba-440c6b3d03db%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
