Elixir today does not care or know anything about HTML - and it has no reason to. EEx is already extensible enough for people to build their own engines and that is what Elixir should focus on.
Furthermore, it doesn't scale if the solution of unifying implementations in the community is to "add them to the language". The focus should not be on core, but in the ecosystem: https://elixir-lang.org/development.html Thanks for your proposal. *José Valim* www.plataformatec.com.br Skype: jv.ptec Founder and Director of R&D On Tue, Sep 11, 2018 at 11:32 PM, Peter Saxton <[email protected]> wrote: > There has already been a small discussion around this topic on a phoenix > HTML issue here > <https://github.com/phoenixframework/phoenix_html/issues/210>. > > I wanted to finish the discussion here so that there was a single point of > reference. > > Rational for this proposal is EEx templates are not safe when embedding > user data in HTML content > and reinventing functionality that is security critical is not good for > the community. > > Current solutions are Phoenix.HTML templates and Plug.HTML.html_escape. > > As I see it. > > - Plug is ubiquitous enough to be part of 99% of web based projects, > however using html_escape is opt in. > i.e. you have to remember to escape every piece of risky content. > > As an example of this Maru has a method to set html > <https://github.com/elixir-maru/maru/blob/bdbf5f35da88acf9f9e18aeed58d525241d2953b/lib/maru/response.ex#L51-L59>, > but does not make any mention of the need to manage escaping. > > - Phoenix.HTML templates are a sufficient solution but not going to be > part of all of projects. > > - I'm not sure about this but generating HTML emails should probably also > be safe. > > Pros > > - Making good security as easily accessible as possible > > Cons > > - Increasing scope of core > > > I think Pro outweighs cons. > > As I have needed this in my own project I have build `eex_html`. > This proposal would be to merge that library into core (renaming `EExHTML` > to `EEx.HTML`) > > https://hexdocs.pm/eex_html/EExHTML.html > > -- > You received this message because you are subscribed to the Google Groups > "elixir-lang-core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ms > gid/elixir-lang-core/c57d53f7-0437-4042-acba-440c6b3d03db% > 40googlegroups.com > <https://groups.google.com/d/msgid/elixir-lang-core/c57d53f7-0437-4042-acba-440c6b3d03db%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "elixir-lang-core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/CAGnRm4%2B8vZYmojER7XWOhdB0zJBm9Wwe-U0XqpXYCih6C6j4VQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
