Agreed, we can, using
sigil_E is not a big deal. But using
raw is not a big deal as well
Drab targets not only experienced users. Imagine you just learned phoenix, made your application with
<input>, and whatever user typed into it, is shown properly escaped. Great! You don’t have to deal with escaping, making your application safer.
Then you are trying Drab. Create an
insert_html) its value. What do you expect? For me, more natural for beginners would be escaping it by default, just like Phoenix does.
If you need to manually escape every string you push to the browser, you may just simply forgot to do it. I made such mistake in the Drab’s demo page! - remember, you’ve found it, thanks a lot again
Safe-by-default should be implemented only on the functions, which deal with node’s
poke (but only when updating the html, not attribute or property). Low level functions, like
exec_js should stay unescaped, obviously.
Looks like this answer convinced myself to safe-by-default idea