Quoting of special chars in character data about hiccup HOT 3 CLOSED

This isn't a bug, it's a feature :)

There are two problems with automatically escaping the content of a tag. The first problem is that it prevents helper functions from being optimized. For instance, take the following code:

(defn unordered-list [coll]
  [:ul (for [x coll] [:li x])])

(println (html [:div.test (unordered-list [1 2 3])]))

Because the html macro doesn't know anything about the internals of unordered-list, it has to fall back to dynamically parsing the resulting vector each time. This is relatively slow. On the other hand, if we write:

(defn unordered-list [coll]
  (html [:ul (for [x coll] [:li x])]))

Then the html macro can optimize the body of the unordered-list function. But because the html macro returns a string, in order for this to work, strings need to be unescaped by default.

The second problem is that you may have raw HTML from some non-Hiccup source you want to render. For instance, maybe you allow your users to post HTML, or maybe you want to use some other template renderer inside Hiccup for some reason.

So because of these two reasons, a tag's content is not escaped. However, you can easily escape it by using escape-html or h:

(html [:div (h "<&")])

from hiccup.

I was afraid that it is a feature :-)

Thanks for taking the time for a long reply.

The reason why I brought this up is, that I noticed that there is
a mismatch between my mental model of this particular part of
hiccup (and the way I use it), and the actual implementation. I
was assuming that hiccup would encapsulate the low-level HTML
quoting stuff, and that I could just provide text, not markup,
when I was putting string literals into vectors. The small test
case showed me that I was wrong.

A summary of the situation would look like this

              hiccup        my model
1) text       (h "...")     "..."
2) markup     "..."         ???

Unfortunately for me, I am putting non-markup text into strings
99% of the time. Knowing myself, I won't remember to call the h
fn at all the places where it is required. Only once or twice in
the past years I wanted to put a string as unchanged markup into
HTML output. For this reason I am very inclined to optimize for
my usage scenario and perfectly willing to sacrifice CPU cycles.
Lazy me :-)

So am asking myself: what do I have to do to move the code closer
to my mental model? I understand your reasoning for the
implemented semantics, so this is probably purely hypothecial
from your point of view.

I'm currently using compojure-0.3.2 and I got line (1) from the
table above by changing the last line of html-tree in gen.clj
from (str tree) to (escape-html tree). Because I am calling
html only on the very top level, this seems to work just fine.

For hiccup, I changed render-html in a similar way, and
implemented the ??? from the table above as [:markup strings]
(see diff).

The unit tests succeed with this change. As I am not actively
using hiccup in an application right now: Beyond the issues you
mention in your comment, do you foresee additional problems for
an actual web server application?

from hiccup.

You'd also need to change compile-html in the same way. That should result in the functionality you outline, however, I can't guarantee I've thought of everything.

Because this issue is the way Hiccup is meant to work, I'm closing this issue.

from hiccup.