New templating engine


#1

tenjin is a work-in-progress templating engine (working example code here). Help:

  • Should variables be HTML-escaped by default, maybe with an @raw marker to say that they shouldn’t be escaped? Right now there’s no escaping at all.
  • Is it possible to run benchmarks in stable Rust?
  • How could it be made more easy to use?

#2

Yes, please please escape by default. Experience has shown programmers will forget to escape something somewhere and attackers will find it.

If you can, make it smart enough to be context-dependent, because e.g. <script> and attributes require slightly different escaping than regular HTML body text.


#3

Would HTML-escaping in the implementation for Borrow<str> and adding a struct Raw<S: Borrow<str>>(S); be enough? The only issue I can think of is that if somebody wrote a custom implementation of the Context trait then they might forget to escape it.


#4

RE HTML-escaping: In another thread they just announced the release of Ammonia 1.0.0. which does nothing but HTML escaping.

Is there any opportunity for re-use there?