Script tag converts " into "

Question

Script tag converts " into "

Quadrangle opened this issue 4 years ago · comments

I am really enjoying Dominate. Great job on this Team Knio!
I can use the script tag to refer to an external .js file and all works well.
But for a script tag in the head or body elements, sensitive characters are escaped. The script does not work.
Is there an immediate workaround, like injecting text?

Quadrangle · Answer 1 · Wed Nov 18 2020 02:36:00 GMT+0800 (China Standard Time)

I just changed double quotes (") to single quotes (') in the javascript and all works.

Tom Flanagan · Answer 2 · Sat Nov 28 2020 08:36:50 GMT+0800 (China Standard Time)

Hi, this is to prevent XSS attacks in case the content of tags is user-generated (and applies to all tags, not just <script>). If you trust the content or it's just a static string, use the raw() util to prevent escaping. e.g.:

from dominate.tags import *
from dominate.util import *

script(raw('''
    alert("Hello World!");
'''))

Script tag converts " into &quot;

Script tag converts " into "