Template code Chunk output
{#example_1}
{!-- The htmlescape and escapequotes filters, plus defang
  -- and some suggestions on where to use them.
  --
  -- Cross-site scripting (XSS) attacks can be avoided
  -- with careful use of escape-filters.  By hardening
  -- your templates against abuse, your java code is
  -- relieved of this burden.
  --}
<h2>The WRONG way:</h2>

<form>
 <input
   name="full_name"
   value="{$name_a}" />
</form>

<script>
var x = '{$name_b}';
var y = '{$name_c}';
</script>

<div>
 I trust this {$output}
</div>


<hr/>

<h2>The RIGHT way:</h2>

<form>
 <input
   name="full_name"
   value="{$name_a|htmlescape}" />
</form>

<script>
var x = '{$name_b|escapequotes}';
var y = '{$name_c|escapequotes}';
</script>

<div>
 I don't trust this {$output|defang}
</div>
{#}
Theme theme = new Theme("examples");

// Fetch template from this file: themes/examples/escapes.chtml
// Inside that file there is a template "snippet" named #example_1
Chunk html = theme.makeChunk("escapes#example_1");

// let's try to sneak some malicious values into the template
html.set("name_a","Eddy \"Crazy Eddy\" Robslovsky");
html.set("name_b","Mad \"Meanie\" McEvil'+doMeanThing()+'");
html.set("name_c","Backslash-\\B\\o\\b \"Confused\" O'Malley");

html.set("output","<script>attack()</script>");

html.render( out );
<h2>The WRONG way:</h2>

<form>
 <input
   name="full_name"
   value="Eddy "Crazy Eddy" Robslovsky" />
</form>

<script>
var x = 'Mad "Meanie" McEvil'+doMeanThing()+'';
var y = 'Backslash-\B\o\b "Confused" O'Malley';
</script>

<div>
 I trust this <script>attack()</script>
</div>


<hr/>

<h2>The RIGHT way:</h2>

<form>
 <input
   name="full_name"
   value="Eddy &quot;Crazy Eddy&quot; Robslovsky" />
</form>

<script>
var x = 'Mad \"Meanie\" McEvil\'+doMeanThing()+\'';
var y = 'Backslash-\\B\\o\\b \"Confused\" O\'Malley';
</script>

<div>
 I don't trust this scriptattack()/script
</div>

The WRONG way:

I trust this

The RIGHT way:

I don't trust this scriptattack()/script
Template code Chunk output
{#example_2}
{!-- urlencode, urldecode.  TODO: improve this example... --}
<a href="http://www.example.com/cgi-bin/record_action?url={$url|urlencode}">Click here</a>

<p>The query string was: {$query_string|urldecode}.
{#}
Theme theme = new Theme("examples");

// Fetch template from this file: themes/examples/escapes.chtml
// Inside that file there is a template "snippet" named #example_2
Chunk html = theme.makeChunk("escapes#example_2");

html.set("url","http://www.x5software.com/chunk/wiki/");
html.set("query_string","x=y&z=w&god_particle=higgs%20boson");

html.render( out );
<a href="http://www.example.com/cgi-bin/record_action?url=http%3A%2F%2Fwww.x5software.com%2Fchunk%2Fwiki%2F">Click here</a>

<p>The query string was: x=y&z=w&god_particle=higgs boson.

Click here

The query string was: x=y&z=w&god_particle=higgs boson.