Escape html characters/tags before updating the templates

[arsulegai]

If HTML tags are not escaped then the generated file from the template would end up in erroneous format.

[arnabkaycee]

Can you share an example?

[arsulegai]

The site served here https://arsulegai.github.io/start-here-hyperledger/issues/hyperledger/fabric-sdk-py is corrupted with the template file from https://github.com/arsulegai/start-here-hyperledger/blob/main/templates/issue-template.md

[arnabkaycee]

I see. I will have have a look at this.

[arnabkaycee]

We are using the https://golang.org/pkg/text/template/ package.
There are two approaches to tackle this problem.

Approach 1:

• We can use the HTMLEscapeString inside the github.go. This is difficult to maintain and less elegant.

Approach 2:

• We can use inline functions in the template like html that escapes html characters. This in my opinion is a better approach and provides more flexibility to the template designer to place the escape functions. If we decide this approach I we need to close the issue here and raising the PR in the other repo.

[arsulegai]

We are using the https://golang.org/pkg/text/template/ package.
There are two approaches to tackle this problem.

Approach 1:

• We can use the HTMLEscapeString inside the github.go. This is difficult to maintain and less elegant.

Approach 2:

• We can use inline functions in the template like html that escapes html characters. This in my opinion is a better approach and provides more flexibility to the template designer to place the escape functions. If we decide this approach I we need to close the issue here and raising the PR in the other repo.

Sure, I see one more problem here. Let's say we are escaping html. md files support these html tags and supports for printing nicer on UI. If the input template is md format then we may need to skip this? What if the input template is of type html? Can we have a test on these?

[arnabkaycee]

We are using the https://golang.org/pkg/text/template/ package.
There are two approaches to tackle this problem.

Approach 1:

• We can use the HTMLEscapeString inside the github.go. This is difficult to maintain and less elegant.

Approach 2:

• We can use inline functions in the template like html that escapes html characters. This in my opinion is a better approach and provides more flexibility to the template designer to place the escape functions. If we decide this approach I we need to close the issue here and raising the PR in the other repo.

Sure, I see one more problem here. Let's say we are escaping html. md files support these html tags and supports for printing nicer on UI. If the input template is md format then we may need to skip this? What if the input template is of type html? Can we have a test on these?

---

If the input template is md format then we may need to skip this? What if the input template is of type HTML?

I don't think the enclosing template format would make a difference whether we want to escape or not. The problem is the special characters like @,<,>,&. The specific example from the 3rd comment has <,> characters in the log (present in the issue body) and messes with the overall rendering. So, no matter what the template format, HTML or MD, we would still need to escape these special characters, if we want to render them in the browser.

Can we have a test on these?

Sure we can test it locally.