EExHTML - safely embed content into HTML



Extension to Embedded Elixir (EEx), that allows content to be safely embedded into HTML.

  iex> import EEx.HTML
  iex> title = "EEx Rocks!"
  iex> content = ~E"<h1><%= title %></h1>"
  %EExHTML.Safe{data: [[[[] | "<h1>"], "EEx Rocks!"] | "</h1>"]}
  iex> "#{content}"
  "<h1>EEx Rocks!</h1>"

  iex> title = "<script>"
  iex> content = ~E"<h1><%= title %></h1>"
  %EExHTML.Safe{data: [[[[] | "<h1>"], [[[] | "&lt;"], "script" | "&gt;"]] | "</h1>"]}
  iex> "#{content}"

Works to integrate with the rest of EEx by implementing a HTML specific engine.
It is extensible for custom data types through the EExHTML.Safe protocol.
The library handles

  • Auto escaping
  • Setting JavaScript variables

0.1.1 released.

Minor patch to fix a superfluous quote mark entered into pages when using the javascript_variables function.

1 Like

0.2.0 released

HTML content in lists is now correctly marked as safe, e.g.

<%= for _ <- 1..1 do %><p><%= bar %></p><% end %>
|> EEx.eval_string(bar: "<script>")
|> String.Chars.to_string()
1 Like

0.2.1 Fix encoding of JavaScript variables.

No changes to API, reasoning is as follows.

Stop using Jason.encode_to_iodata! internally as this causes ambiguity when using String.Chars protocol, it is not possible to know if integers should be encoded as numbers or chardata.


1.0 released

Dependency on Jason is now optional and must be added to a project that wants to use safe javascript functionality