EExHTML - safely embed content into HTML

EExHTML

Extension to Embedded Elixir (EEx), that allows content to be safely embedded into HTML.

  iex> import EEx.HTML
  iex> title = "EEx Rocks!"
  iex> content = ~E"<h1><%= title %></h1>"
  %EExHTML.Safe{data: [[[[] | "<h1>"], "EEx Rocks!"] | "</h1>"]}
  iex> "#{content}"
  "<h1>EEx Rocks!</h1>"

  iex> title = "<script>"
  iex> content = ~E"<h1><%= title %></h1>"
  %EExHTML.Safe{data: [[[[] | "<h1>"], [[[] | "&lt;"], "script" | "&gt;"]] | "</h1>"]}
  iex> "#{content}"
  "<h1>&lt;script&gt;</h1>"

Works to integrate with the rest of EEx by implementing a HTML specific engine.
It is extensible for custom data types through the EExHTML.Safe protocol.
The library handles

  • Auto escaping
  • Setting JavaScript variables
8 Likes

0.1.1 released.

Minor patch to fix a superfluous quote mark entered into pages when using the javascript_variables function.

1 Like

0.2.0 released

HTML content in lists is now correctly marked as safe, e.g.

<%= for _ <- 1..1 do %><p><%= bar %></p><% end %>
|> EEx.eval_string(bar: "<script>")
|> String.Chars.to_string()
"<p>&lt;script&gt;</p>"
1 Like

0.2.1 Fix encoding of JavaScript variables.

No changes to API, reasoning is as follows.

Stop using Jason.encode_to_iodata! internally as this causes ambiguity when using String.Chars protocol, it is not possible to know if integers should be encoded as numbers or chardata.

3 Likes

1.0 released

Dependency on Jason is now optional and must be added to a project that wants to use safe javascript functionality

2 Likes