Support automatic escaping HTML

Sources/Extension.swift

@@ -57,6 +57,7 @@ class DefaultExtension: Extension {
     registerFilter("uppercase", filter: uppercase)
     registerFilter("lowercase", filter: lowercase)
     registerFilter("join", filter: joinFilter)
+    registerFilter("safe", filter: safeFilter)
   }
 }
 

Sources/Filters.swift

@@ -39,3 +39,8 @@ func joinFilter(value: Any?, arguments: [Any?]) throws -> Any? {
 
   return value
 }
+
+
+func safeFilter(value: Any?) throws -> Any? {
+  return escaped(html: stringify(value))
+}

Sources/HTML.swift

@@ -0,0 +1,26 @@
+public protocol HTMLString {
+  var html: String { get }
+}
+
+
+struct EscapedHTML: HTMLString, CustomStringConvertible {
+  let value: String
+
+  var html: String { return value }
+  var description: String { return value }
+}
+
+
+func escaped(html: String) -> HTMLString {
+  return EscapedHTML(value: html)
+}
+
+
+func escapeHTML(_ value: String) -> String {
+  return value
+    .replacingOccurrences(of: "&", with: "&")
+    .replacingOccurrences(of: "'", with: "&39;")
+    .replacingOccurrences(of: "<", with: "&lt;")
+    .replacingOccurrences(of: ">", with: "&gt;")
+    .replacingOccurrences(of: "\"", with: "&quot;")
+}

Sources/Node.swift

@@ -70,11 +70,15 @@ public class VariableNode : NodeType {
 
   public func render(_ context: Context) throws -> String {
     let result = try variable.resolve(context)
-    return stringify(result)
+
+    if let result = result as? EscapedHTML {
+      return result.html
+    }
+
+    return escapeHTML(stringify(result))
   }
 }
 
-
 func stringify(_ result: Any?) -> String {
   if let result = result as? String {
     return result

Tests/StencilTests/FilterSpec.swift

@@ -147,4 +147,13 @@ func testFilter() {
       try expect(result) == "OneTwo"
     }
   }
+
+  describe("safe filter") {
+    let template = Template(templateString: "{{ \"<'>\"|safe }}")
+
+    $0.it("prevents auto escaping") {
+      let result = try template.render()
+      try expect(result) == "<'>"
+    }
+  }
 }

Tests/StencilTests/NodeSpec.swift

@@ -12,6 +12,7 @@ class ErrorNode : NodeType {
 func testNode() {
   describe("Node") {
     let context = Context(dictionary: [
+      "title": escaped(html: "'Hello World'"),
       "name": "Kyle",
       "age": 27,
       "items": [1, 2, 3],
@@ -34,6 +35,18 @@ func testNode() {
         let node = VariableNode(variable: Variable("age"))
         try expect(try node.render(context)) == "27"
       }
+
+      $0.describe("escaping") {
+        $0.it("automatically escapes unescaped html") {
+          let node = VariableNode(variable: Variable("\"'Hello World'\""))
+          try expect(try node.render(context)) == "&39;Hello World&39;"
+        }
+
+        $0.it("doesn't double escape already escaped HTML") {
+          let node = VariableNode(variable: Variable("title"))
+          try expect(try node.render(context)) == "'Hello World'"
+        }
+      }
     }
 
     $0.describe("rendering nodes") {

docs/builtins.rst

@@ -286,3 +286,20 @@ Join an array of items.
     {{ value|join:", " }}
 
 .. note:: The value MUST be an array.
+
+``safe``
+~~~~~~~~
+
+Marks a value as safe and thus prevents the value from being automatically
+escaped.
+
+.. code-block:: html+django
+
+    {{ name|safe }}
+
+Other filters may remove the safe state, for example filtering through `safe`
+and then `lowercase` will result in an unsafe lowercased string.
+
+.. code-block:: html+django
+
+    {{ name|safe|lowercase }}