While it was a good move from Rails part to escape ERB <%= %> tags by default, it doesn’t seem to happen to Sprockets as well.
The strange bit is that according to Sprockets documentation, it
would be just a matter of naming your template as .jst.eco to enable Eco:
https://github.com/sstephenson/sprockets#javascript-templating-with-ejs-and-eco
Then, extracted from Eco documentation:
https://github.com/sstephenson/eco
<%= expression %>: Evaluate a CoffeeScript expression,
escape its return value, and print it.
It means that by default it should escape "expression". So why isn't
escaping happening by default on Rails JST eco templates?
I know about templating alternatives like Handlebars or Knockout,
but I actually want to be able to use some ERB-like template.
For example, as far as I could find out Handlebars won't support
local helpers for instance. I don’t like the idea of polluting the global space with lots of helpers because it would be a mess for me to maintain such code.
Also, I miss an easy way to embed something like products_path in my
ECO templates for obvious reasons, but this is a minor issue for me… Escaping is a very important one though.
Thanks in advance,
Rodrigo.