Technique for ensuring HTML- and URL-encoding
Posted
by JW
on Stack Overflow
See other posts from Stack Overflow
or by JW
Published on 2010-03-08T03:24:44Z
Indexed on
2010/03/08
3:30 UTC
Read the original article
Hit count: 605
Has anyone implemented a good template system for ensuring that output is properly HTML-encoded where it makes sense? Maybe even something that recognizes when output should be URL-encoded or JSON-encoded instead?
The lazy approach — just encoding all inputs — causes problems when you want to send those inputs to a database, or to a block of JavaScript code. So something a little smarter is needed.
The tedious approach — putting the proper encoding function around each piece of data on the template — works, but it's easy for developers to forget to do it.
Is there a good approach that makes it easy for developers, and ensures that the right encoding is done? I was listening to one of the SO podcasts, and Joel tossed out an idea about using typed data to enforce a difference between HTML-encoded strings and non-encoded strings. Maybe that could be a starting point.
I'm looking more for a strategy than for an implementation in a particular language (although I'd be happy to hear about implementations that already exist and work).
© Stack Overflow or respective owner