Hi, I just ran across a bug with the latest CanJS EJS rendering where if
you use a magic tag within an HTML tag's attributes AND it's
wrapped in an if block, then it will not be escaped, so for example
single apostrophes will be put right into the HTML and close the
attribute early. Here's an example:
- <input type='text'
- <% if(value != null){ %> value='<%=value%>' <% } %>
- />
If value="foo's bar", the resulting HTML will be:
- <input type='text'
- value='foo's bar'
- />
And the user will only see "foo" in the input field.
Here's a JSFiddle showing the same example live: http://jsfiddle.net/c5yw5bya/2/
Does anyone know of a way to work around this bug? Also, I poked
around a bit to find out where the escaping happens
(can/view/render.js?), but I couldn't figure out the logic of how
it decides to escape based on whether it's inside another
tag's attributes. And finally, the JSMVC 3.2 did not have this problem.