ddekany commented on issue #60: Make `js_string` more safety. URL: https://github.com/apache/freemarker/pull/60#issuecomment-532982038 If we are talking about security, you should use auto-escaping (https://freemarker.apache.org/docs/dgui_quickstart_template.html#dgui_quickstart_template_autoescaping). Then such a bug in a template wouldn't be a security issue as well (you just end up with a broken attribute value). I'm not convinced that we should change the default behavior of `js_escape` for this (maybe some wouldn't like the new, long result). I mean the solution is there, and it's a safer practice. (Because, like, what if the template author doesn't quote the attribute value? Then this workaround won't work.)
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
