A few minutes ago, Michael W wrote:
>
> I guess you're making the point that quasiquotes in a
> web-server/templates template doesn't protect against injection.
Yes, exactly. And going back to Harry's question, it was about the
"@syntax", and to be percise, that syntax is independent of anything
else. For example, here's your code translated to that:
(let ([user-supplied-input "<script http=\"nasty\">...</script>"])
(xexpr->string
@`html{@body{@p{@,user-supplied-input}}}))
> After all, the templates library doesn't explicitly escape anything
Right, and *that's* the important issue.
> whereas xexpr does.
Not xexprs -- the library that is commonly used to spit them out as
xml.
--
((lambda (x) (x x)) (lambda (x) (x x))) Eli Barzilay:
http://barzilay.org/ Maze is Life!
____________________
Racket Users list:
http://lists.racket-lang.org/users
