Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not sanitized output for EDE #3

Open
voidlizard opened this issue Jan 20, 2016 · 3 comments
Open

Not sanitized output for EDE #3

voidlizard opened this issue Jan 20, 2016 · 3 comments

Comments

@voidlizard
Copy link

It would be nice to have not sanitized output support for EDE,
cause all entities in generated JS/JSON are escaped by the
sanitizer when bound to a template.

Dirty fix might be:

--- src/Servant/EDE.hs  2016-01-20 17:39:19.137294389 +0300
+++ /b/servant-ede-0.5.1/src/Servant/EDE.hs 2016-01-20 13:48:17.102301746 +0300
@@ -32,6 +32,7 @@
 module Servant.EDE
   ( -- * Combinators
     HTML
+  , RawHTML
   , Tpl

     -- * Sending Haskell data to templates
@@ -240,15 +241,23 @@
 -- passed to the template.
 data HTML (file :: Symbol)

+data RawHTML (file :: Symbol)
+
 -- | @text/html;charset=utf-8@
 instance Accept (HTML file) where
   contentType _ = "text" // "html" /: ("charset", "utf-8")

+instance Accept (RawHTML file) where
+  contentType _ = "text" // "html" /: ("charset", "utf-8")
+
 -- | XSS-sanitizes data before rendering it
 instance (KnownSymbol file, ToObject a) => MimeRender (HTML file) a where
   mimeRender _ val = mimeRender (Proxy :: Proxy (Tpl (HTML file) file)) $
     sanitizeObject (toObject val)

+instance (KnownSymbol file, ToObject a) => MimeRender (RawHTML file) a where
+  mimeRender _ val = mimeRender (Proxy :: Proxy (Tpl (RawHTML file) file)) $ toObject val
+
 sanitizeObject :: Object -> Object
 sanitizeObject = HM.fromList . map sanitizeKV . HM.toList

@@ -288,9 +297,10 @@
   CTFiles (c ': cts) = Append (CTFile c) (CTFiles cts)

 type family CTFile c :: [Symbol] where
-  CTFile (HTML fp)   = '[fp]
-  CTFile (Tpl ct fp) = '[fp]
-  CTFile a           = '[]
+  CTFile (HTML fp)     = '[fp]
+  CTFile (RawHTML fp)  = '[fp]
+  CTFile (Tpl ct fp)   = '[fp]
+  CTFile a             = '[]

 templates :: Proxy api -> Proxy (TemplateFiles api)
 templates Proxy = Proxy
@alpmestan
Copy link
Owner

I suggested this approach in an email:

data Sanitize = Sanitized | NotSanitized

data HTML' (s :: Sanitize) (templateFile :: Symbol)
instance ... MimeRender (Html s tfile) where ...

type HTML tfile = HTML' Sanitized tfile
type RawHTML tfile = HTML' NotSanitized tfile

Would that work for you? Maybe @jkarni can chime in here?

@voidlizard
Copy link
Author

Yes, it's good. May be not just Sanitize = Senitized | NotSanitized but for fancy options,
like

data EDESettings = EDESettins { edeSanitized :: Bool
                                                     , ...
                                                   }

but it will work for me anyway.

@alpmestan
Copy link
Owner

Regarding your suggestion: yeah, that'd be nice. Hoping the Config work done in servant can help us store those settings, but since servant-ede only provides content types, I'm not entirely sure this is going to work. Again, @jkarni might know better, given that I haven't followed the work on Config closely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@voidlizard @alpmestan