Skip to content
Steve Klabnik edited this page Sep 13, 2013 · 17 revisions

A library/module for escaping/unescaping of special HTML characters.

1. Announcement to mailing list

  • Proposed editor: your name
  • Date proposed: date of proposal
  • Link: link to email

Notes from discussion on mailing list

  • note
  • note
  • note

2. Research of standards and techniques

  1. Standard: standard - link to docs - ...
  2. Standard: standard - link to docs - ...
  3. Technique: technique - link to docs - ...
  4. Technique: technique - link to docs - ...

Summary of research on standards and leading techniques

Relevant standards and techniques exist?

Those intended to follow (and why)

Those intended to ignore (and why)

3. Research of libraries from other languages

  1. Language: Go - html
    • EscapeString() escapes only the 5 characters < > & ' "
    • UnescapeString() unescapes more characters
  2. Language: PHP - htmlspecialchars()
  3. Language: RUby - CGI.escapeHTML

Summary of research from other languages:

Structures and functions commonly appearing

Variations on implementation seen

Pitfalls and hazards associated with each variant

Relationship to other libraries and/or abstract interfaces

4. Module writing

See https://github.com/veddan/rust-htmlescape

  • Pull request: link to bug

Additional implementation notes

Question: where to get from the complete list of characters to escape and entities to produce?

  • escape_minimal() only escapes the necessary 5 characters < > & ' " which are necessary for security/forms/URLs
    • < => &lt;
    • > => &gt;
    • & => &amp;
    • ' => &#39;
    • " => &#34;
  • escape_full() escapes all characters

All Categories:

Clone this wiki locally