5 hours ago, Eli Barzilay wrote:
> That is completely incorrect. There is nothing special about
> quasiquotes that makes them more resistant to injection over any kind
> of other templates.
Pardon?
Now I'm curious. Xexprs *know* they're XML, so they escape normal
strings like you'd expect -- I assume that's what Harry meant.
For illustration, consider
(let ([user-supplied-input "<script http=\"nasty\">...</script>"])
(xexpr->string
`(html
(body
(p ,user-supplied-input)))))
The quasiquote expands into
(xexpr->string
'(html
(body
(p "<script http=\"nasty\">...</script>"))))
And then the xexpr library knows to escape the string, so this
becomes:
<html><body><p><script http="nasty">...</script></p></body></html>
I guess you're making the point that quasiquotes in a
web-server/templates template doesn't protect against injection.
After all, the templates library doesn't explicitly escape
anything whereas xexpr does.
--
Take care,
_mike
____________________
Racket Users list:
http://lists.racket-lang.org/users
