Fix codegen build (toml 0.9 broke things), improve v_htmlescape behaviour (don’t encode slash)#164
Open
chris-morgan wants to merge 6 commits intozzau13:masterfrom
Open
Fix codegen build (toml 0.9 broke things), improve v_htmlescape behaviour (don’t encode slash)#164chris-morgan wants to merge 6 commits intozzau13:masterfrom
chris-morgan wants to merge 6 commits intozzau13:masterfrom
Conversation
Dependency version specifier "0" is always wrong. In this case, toml 0.8 could parse an entire TOML file as Value, but toml 0.9 fixed that obvious wrongness, insisting you use Table. Instead of changing the version to 0.8, I updated it to 0.9.
I reckon this improves things quite a bit. Still messy, but I find it noticeably easier to follow. (I still dislike rustfmt, makes it worse.)
Also ran cargo fmt, since that minimises the {src,tests}/lib.rs diffs.
(If that’s to be done, then I ask what the point of prettyplease is.)
This was always a mistake; nothing has *ever* required it. This was one of the worse problems with OWASP’s XSS prevention cheat sheet, a thoroughly bad document that was bad when it was written around 2010, and became worse as edits were made to it, though some edits in 2020–2023 finally improved it a little. Details *were* in <OWASP/CheatSheetSeries#515>, but that issue has been deleted, and the Wayback Machine didn’t have it. Sigh. I don’t like OWASP because of things like this. This should be considered a breaking change, because some people will have tests depending on the wonky behaviour.
Easier to read this way.
• HTML 3.2 (January 1997) lacked " and '.
• HTML 4 (December 1997) had " but lacked '.
• XML 1.0 (February 1998) had both " and '.
• HTML 5 (January 2008) added '.
• IE 8 (March 2009) was the last browser that lacked '.
By that time everyone else had been doing this HTML 5 thing for a while,
and Microsoft followed suit in IE 9.
Frankly, I don’t like apostrophe being encoded;
I would declare double-quoted attribute values the One True Form,
rejecting single-quoted attribute values,
just like unquoted attribute values are rejected by libraries like this.
But that would be a bit too drastic a change to make at this stage.
Another alternative is to use &zzau13#39;, which is shorter.
This should again be considered a breaking change.
And a slightly more serious one than stopping escaping slash,
because it *will* actually break IE≤8.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Read the commit messages for more detail.
Why the v_escape_codegen@0.1.9 → 0.1.8? Dunno, haven’t delved.