I am trying to pass a message to a Mustache template that looks something like this:
The URL you entered http://example.com not valid.
The user specifies a URL, so the URL must be escaped. However, I want to place the <code> tags around the URL, so it stands out from the surrounding text, so the code tags should be passed without escaping.
I could write something like this:
{{text_before_url}}<code>{{url}}</code>{{text_after_url}}
However, the message text is changing, and it is not always suitable for this structure.
I could also try to output raw text with three curly braces, {{{messages}}} and escape the URL with something like htmlentities($url) , but if someone adapts the program later to send a new message, and passes data without implementation, it must be escaped, then we ran into a big XSS problem.
I may just be out of luck, and I understand the importance of having a simple template engine, but is there any way I can tell Mustache that the HTML tags are okay while avoiding the rest of the output?
Kevin
source share