Iâm trapped in my HTML, how do I escape!?
genesis : I was confused about character escaping, so Iâm going to write what I learned!
You see character escaping everywhere! Itâs used to âinterpret a sequence of characters differentlyâ. A little wordy, I know.
Typically there are two modes of thinking. One is the âprogramming languageâ or âcontextâ you are working in, and the other is the âvanillaâ or âplainâ old character. Let me show you.
-
example 1 : BASH: take the following two examples, you will notice that one of them has raw â<â and â>â characters, and the other has them âescapedâ with the â\â character. In bash, the â<â and â>â are used to direct standard output, input, and error. So when you try to echo using these characters, the interpretation of the program doesnât know what to do. An important note here is that each language escapes itâs own characters differently.
C:\>echo <hello world> # sh: syntax error near unexpected token `newline'C:\>echo \<hello world\> # <hello world>
Escaping is commonly done in programming languages and configuration files like JSON with a proceeding â/â character. In html, they take a different approach. They escape their characters with an âescape codeâ. This is a similar idea to ASCII, in the sense that every character has a code you can render it as. This website is a good resource for escaping characters.
My struggle in understanding this was I was seeing my characters escaped via codes in html, but when they were rendered, I didnât see any of the codes and the html wasânt rendering properly, it was just text. The reason is : this is what escaping is designed to do. My mustache compiler escaped all of my html for me, and then my browser (firefox) rendered the escaped characters as just the raw characters. To fix this, I told mustache to not escape my html using {{{foo}}} instead of {{foo}}!
Last but not least, escaping is attractive because you can use âreserved character sequencesâ in you text / code & it helps prevent security vulnerabilities. If someone was able to save HTML into your application, they could add tags of their own to get html to render differently. When you escape the html, it is effectively neutralized because it will be interpreted as just the vanilla characters and not html. Pretty sweet!