Technique for ensuring HTML- and URL-encoding

Posted by JW on Stack Overflow See other posts from Stack Overflow or by JW
Published on 2010-03-08T03:24:44Z Indexed on 2010/03/08 3:30 UTC
Read the original article Hit count: 605

Filed under:
|
|
|

Has anyone implemented a good template system for ensuring that output is properly HTML-encoded where it makes sense? Maybe even something that recognizes when output should be URL-encoded or JSON-encoded instead?

The lazy approach — just encoding all inputs — causes problems when you want to send those inputs to a database, or to a block of JavaScript code. So something a little smarter is needed.

The tedious approach — putting the proper encoding function around each piece of data on the template — works, but it's easy for developers to forget to do it.

Is there a good approach that makes it easy for developers, and ensures that the right encoding is done? I was listening to one of the SO podcasts, and Joel tossed out an idea about using typed data to enforce a difference between HTML-encoded strings and non-encoded strings. Maybe that could be a starting point.

I'm looking more for a strategy than for an implementation in a particular language (although I'd be happy to hear about implementations that already exist and work).

© Stack Overflow or respective owner

Related posts about html

Related posts about url