Changes between Version 1 and Version 2 of Ticket #17419, comment 25


Ignore:
Timestamp:
Jan 25, 2016, 1:24:41 PM (8 years ago)
Author:
Nathan Vander Wilt

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #17419, comment 25

    v1 v2  
    11The suggested patch has rather surprising behavior to me, with its custom escaping. Normally an HTML attribute is the *best* place to put JSON-formatted data:
    22
    3 - plays nicely most template language's default HTML escaping  (i.e. the usual `"` behaves correctly)
     3- plays nicely most template languages' default HTML escaping  (i.e. the usual `"` behaves correctly)
    44- provides a safe place for data to live _as data_, rather than as code
    55- just as easy to get to from an external script file as an inline one
     
    2121The argonauts approach isn't necessarily wrong, but feels more like its intended to be used as "generate some JavaScript" tag rather than one for "output JSON content [safely in an HTML context]". Granted, the former (inline JavaScript) could very well be what many developers want, and the latter (HTML-safe JSON) ends up being a bit of a pain anywhere *but* in an attribute.
    2222
    23 Hopefully my 2¢ on an alternative consideration is helpful feedback. There's certainly some irony in proposing a solution that only works one place, up against a solution that is convenient everywhere *except* that same place (where it happens to be unsafe). For me it was a tradeoff: fully escaped output is _safe_ anywhere it ends up. Unfortunately it's only _useful_ when extracted from an attribute value, but that's a habit I was willing to settle on; I can use the same pattern across pretty much any platform's template engine. YMMV.
     23Hopefully my 2¢ on an alternative consideration is helpful feedback. There's certainly some irony in proposing a solution that only works in one slightly awkward place, up against a solution that is convenient everywhere *except* that same place (albeit where it is then unsafe). For me it was a tradeoff: fully escaped output is _safe_ anywhere it ends up. Unfortunately it's only _useful_ when extracted from an attribute value, but that's a habit I was willing to settle on; I can use the same pattern across pretty much any platform's template engine. YMMV.
Back to Top