New templating engine

tenjin is a work-in-progress templating engine (working example code here). Help:

  • Should variables be HTML-escaped by default, maybe with an @raw marker to say that they shouldn't be escaped? Right now there's no escaping at all.
  • Is it possible to run benchmarks in stable Rust?
  • How could it be made more easy to use?
1 Like

Yes, please please escape by default. Experience has shown programmers will forget to escape something somewhere and attackers will find it.

If you can, make it smart enough to be context-dependent, because e.g. <script> and attributes require slightly different escaping than regular HTML body text.


Would HTML-escaping in the implementation for Borrow<str> and adding a struct Raw<S: Borrow<str>>(S); be enough? The only issue I can think of is that if somebody wrote a custom implementation of the Context trait then they might forget to escape it.

RE HTML-escaping: In another thread they just announced the release of Ammonia 1.0.0. which does nothing but HTML escaping.

Is there any opportunity for re-use there?