You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The PreEscaped / Markup naming was lifted from blaze-markup, which supports both HTML and XML. But Maud was always HTML-only, and the upcoming context-aware escaping effort will deepen this specialization.
Let's rename it to just Html.
PreEscaped wraps any T: AsRef<str>, but I've only seen it used with String and &'static str.
Let's make it wrap Cow<'static, str> instead.
The PreEscaped constructor makes it too easy to treat any arbitrary string as HTML. Modern APIs like the Trusted Types proposal force the user to do some sanitizing/escaping first, or at least acknowledge the security risk if they don't.
Let's remove the public constructor, and replace it with...
Just wanted to mention that PreEscaped was confusing to me when I discovered maud. So 👍 on that rename, it would be a net positive wrt discoverability, IMO.
There needs to be consideration for making sure it is possible to serialize Html for use-cases like pushing DOM updates over websocket messages. Either Html need to be Into<String> or maud needs to have a serde feature.
The current
PreEscaped
API has a few issues:PreEscaped
/Markup
naming was lifted fromblaze-markup
, which supports both HTML and XML. But Maud was always HTML-only, and the upcoming context-aware escaping effort will deepen this specialization.Html
.PreEscaped
wraps anyT: AsRef<str>
, but I've only seen it used withString
and&'static str
.Cow<'static, str>
instead.PreEscaped
constructor makes it too easy to treat any arbitrary string as HTML. Modern APIs like the Trusted Types proposal force the user to do some sanitizing/escaping first, or at least acknowledge the security risk if they don't.sanitize
) option is shorter!The text was updated successfully, but these errors were encountered: