Getting access to the content of the partial

[patocallaghan]

Hey,

I'm trying to do the following but can't seem to get it working.

I have a html partial which I am pulling into my page but I am also trying to html escape the output of the partial. For example, I have <p>test</p> in my partial but I want it to be output on the page as <p>test</p> I do this as I'm trying to put the contents of the partial into a pre tag. I'm using this package to do the html escaping.

In my docpad.coffee I have:

escape: require('escape-html')

and in my template I call:

<%-escape(@partial('objects/code/block-list.html')) %>

but this outputs as:

%5Bpartial%3A0.9582784192170948%5D

Have you any ideas how I can access the contents of the partial to escape them?

Thanks,
Pat

[balupton]

Good question. So eco comes with this built-in which is great! :) Instead of using <%- "<a>something</a>" %> you can use <%= "<a>something</a>" %> which will escape the content. Generally you will always want to use <%= over <%- for security reasons (prevent XSS etc) which is especially important when rendering data that comes from remote sources (think a twitter or github feedr via feedr or via importers).

[patocallaghan]

Ah cool, didn't know that, thanks..although it doesn't seem to be working as expected here. Looking at the documentation on the eco README

eco.render "<%= @description %>",
  description: "<strong>HTML 5</strong> mobile app"

should produce

<strong>HTML 5</strong> mobile app

although in my case I've tried all the following variations with no success:

• <%= "<a>test</a>" %> outputs "<a>test</a>" with no escaping.
• "<%= <a>test</a> %>" (quotes on the outside) generates an error
• eco.render "<%= <a>test</a> %>" generates an error (I added eco: require('./node_modules/docpad-plugin-eco/node_modules/eco') to docpad.coffee
• eco.render "<%= @code %>", code: "<a>test</a>" just output that call literally

Also while <a>test</a> is just an example, I'm actually looking to get access to the output of the partial to escape that. Instead it just outputs the actual partial function call.

[patocallaghan]

Hey, sorry to bring this up again, but do you have any suggestions?

[balupton]

Ah okay, I know what the issue is. To recap:

1. eco.render won't work in your templates as in your templates you use eco via <%, eco.render is for when you require the eco module for us in say a plugin or so
2. If all you want is the unescaped rendered content of a partial to be outputted you use <%- instead of <%=, so <%- "<a>something</a>" %>
3. Partials are rendered asynchronously. Now this is the actual issue holding you up. Calling @partial('blah') will just return something like partial:123123102391203 which will then be replaced later once the partial has finished rendering. To have it escape, you will need to do something like:
   1. Wrap the partial call in something like <escape>, so <escape><%- @partial('blah') %></escape>
   2. Use the renderDocument event to find escape elements and replace their contents with the escaped result (make sure your event runs after the partials event by setting a priority like renderDocumentPriority: 600) (you may need to do this in a plugin). Code will be something like: renderDocument: ({content}) -> content = content.replace /<escape>(.+?)</escape>/g, (a,b) -> require('escape-html')(b)

[patocallaghan]

Thanks very much! That's more than enough to get me started :)