HTML Entity Auto Escaping
Since templatel was initially designed for serving as a template language in a static site generator, most of its input will be HTML or XML. This demanded adding an optional mechanism to distinguish expressions deemed as safe from the ones that should have its contents escaped.
Enable and Disable Auto Escaping
The state of auto escaping will depend on which API one is using. Let's see each of them:
;; auto escaping comes disabled by default (templatel-render-string "hi {{ name }}" '(("name" . "<b>you</b>"))) ;; "hi <b>you</b>" ;; pass t to auto-escape to enable it (templatel-render-string "hi {{ name }}" '(("name" . "<b>you</b>")) :autoescape t) ;; "hi <b>you</b>"
;; auto escaping comes enabled by default for html and xml files (templatel-render-file "path/to/file.html" '(("name" . "<b>you</b>"))) ;; "hi <b>you</b>" (templatel-render-file "path/to/file.txt" '(("name" . "<b>you</b>"))) ;; "hi <b>you</b>" ;; pass the list of extensions that should have auto escape enabled (templatel-render-file "path/to/file.rest" '(("name" . "<b>you</b>")) :autoescape-ext '(".rest")) ;; "hi <b>you</b>"
With templatel-env-new and templatel-env-set-autoescape
The flag for HTML entity auto escaping defaults to false and can be enabled (or disabled again) with templatel-env-set-autoescape.
(let ((env (templatel-env-new))) ;; all templates within this environment will have auto ;; escaping enabled (templatel-env-set-autoescape env t) ;; (...) add templates and such (templatel-env-render env path variables))
Render non-escaped content
When auto escaping is enabled, the template writer must mark each value that is safe to contain HTML entities and not be escaped. That can be done using the safe filter:
(templatel-render-string "Hi {{ name|safe }}!" ’(("name" . "<b>you</b>")) t)
The above will render
Hi <b>you</b>
