Lib html

A library/module for escaping/unescaping of special HTML characters.

1. Announcement to mailing list

• Proposed editor: your name
• Date proposed: date of proposal
• Link: link to email

Notes from discussion on mailing list

• note
• note
• note

2. Research of standards and techniques

1. Standard: standard - link to docs - ...
2. Standard: standard - link to docs - ...
3. Technique: technique - link to docs - ...
4. Technique: technique - link to docs - ...

Summary of research on standards and leading techniques

Relevant standards and techniques exist?

Those intended to follow (and why)

Those intended to ignore (and why)

3. Research of libraries from other languages

1. Language: Go - html
   • EscapeString() escapes only the 5 characters < > & ' "
   • UnescapeString() unescapes more characters
2. Language: PHP - htmlspecialchars()
   • escapes only the 5 characters < > & ' " - htmlspecialchars_decode ()
   • decodes only the characters handled by htmlspecialchars()
3. Language: RUby - CGI.escapeHTML
   • escapes only the 5 characters < > & ' " - CGI.unescapeHTML - htmlentities gem

Summary of research from other languages:

Structures and functions commonly appearing

Variations on implementation seen

Pitfalls and hazards associated with each variant

Relationship to other libraries and/or abstract interfaces

4. Module writing

See https://github.com/veddan/rust-htmlescape

• Pull request: link to bug

Additional implementation notes

Question: where to get from the complete list of characters to escape and entities to produce?

• escape_minimal() only escapes the necessary 5 characters < > & ' " which are necessary for security/forms/URLs
  • < => <
  • > => >
  • & => &
  • ' => '
  • " => "
• escape_full() escapes all characters
  • We probably should use a table-lookup (binary search), similar to the code in https://github.com/mozilla/rust/blob/incoming/src/libcore/unicode.rs