How to preserve javascript in heist template from escaping?

Question

I'm using Snap framework with Heist templating engine. The problem is that Heist corrupts javascript code inlined into html:

<script type="text/javascript">alert('hello');</script>

Transformed into:

<script type="text/javascript">alert(&apos;hello&apos;);</script>

How can I tell Heist to preserve contents of the script tag?

Edit: I just implemented such splice:

verbatimSplice :: MonadIO m => Splice m
verbatimSplice = do
    node <- getParamNode       -- get <script> node
    stopRecursion              -- stop recursive processing of splices
    lift $ liftIO $ print node -- show me the node
    return [node]              -- return <script> as is

But binding this splice to script tag does not help. It prints

Element "script" [("type","text/javascript")] [Text "alert('hello');"]

so, I think, html entity substitution takes place after running all splices.

Heh, that's amusing. Technically, the latter should work (according to specs and stuff), but of course, browser compliance in this area is spotty. If Heist doesn't have special provisions for Script tags, this might be a little tricky: you'll need to use whatever comment escape mumbo jumbo people use these days. — Edward Z. Yang, Jan 01 '11 at 17:50
@Edward, It's pity but Firefox (at least 3.6.13) does not understand the latter script. Can you point to specs that explain why it should? — max taldykin, Jan 01 '11 at 19:02

mightybyte · Accepted Answer · 2011-08-31T13:08:16.280

Heist uses hexpat for its processing. I believe the issue here is that hexpat uses expat, which requires well-formed XML. Unfortunately HTML documents with inline javascript aren't valid, so it escapes them. We're aware of this problem. The solution is to switch to an HTML5 parser instead of an XML parser. Unfortunately there are no good HTML5 parsing libraries for Haskell.

Until that happens, the solution is to move all your javascript out of templates into external files. We realize this is not an adequate solution for the long term. We're planning to either write one or switch to one eventually. Contributions in this area would be greatly appreciated.

Update:

As of February 2011, Heist has switched from using hexpat to using our own custom HTML parsing library called XmlHtml which solves this problem.

Thank you. Another inconvenience is that hexpat normalizes empty nodes but `` is not a valid html. So you need to put something (one space is enough) between ``. — max taldykin, Jan 02 '11 at 07:04

score 1 · Answer 2 · answered Jan 02 '11 at 04:27

1

Ideally you would wrap your script in CDATA tags

<script>
//<!CDATA[
  alert('hello');
//]]>
</script>

which would make it valid XML.

Alas, Heist seems to ignore these.

answered Jan 02 '11 at 04:27

yiding

3,482
18
17

IIRC this is a hexpat/expat issue. Again, a new HTML5 compliant parser would be really nice. – mightybyte Jan 02 '11 at 14:21

How to preserve javascript in heist template from escaping?

2 Answers2