<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">With the current model, I’d make a first pass of this sort of functionality by doing:<div class=""><br class=""></div><div class="">1. Define a HtmlEncoded wrapping struct that indicated a value was meant to be safe to output directly, rather than be encoded. This would make encoding safe by default (opt out)</div><div class="">2. HTML content built via string interpolation would escape any data input not wrapped in a HtmlEncoded struct.</div><div class=""><div class=""><div class="">3. Define functions for the common tags which output nested html data, rather than having people write the tags themselves.</div></div><div class=""><br class=""></div><div class="">With all that, your code would probably be:</div><div class=""><br class=""></div></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div class="">let title = "<script>boom();</script>"</div></div><div class=""><div class="">result.render(h1(title)); // outputs '<h1>&lt;script>boom();&lt;/script></h1>'</div></div></blockquote><div class=""><div class=""><br class=""></div><div class=""><div class="">4. (maybe) HtmlEncoded is ExpressibleByStringInterpolation, so that</div><div class=""><br class=""></div><div class="">var username = “<script>boom();</script>”</div></div><div class="">var encoded:HtmlEncoded = “Hello, \(username)”</div><div class="">print(encoded) // ‘Hello, &lt;script>boom();&lt;/script>'</div><div class=""><br class=""></div><div class="">This is somewhat analogous to Rails 3’s String.html_safe functionality, and avoids interpreting string safety based on a string being a literal .</div><div class=""><br class=""></div><div class="">-DW</div><div class=""><br class=""><div class=""><div class=""><div><blockquote type="cite" class=""><div class="">On Jan 20, 2017, at 9:27 AM, Gwendal Roué via swift-evolution <<a href="mailto:swift-evolution@swift.org" class="">swift-evolution@swift.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class=""><blockquote type="cite" class="">One ask - make string interpolation great again?<br class=""></blockquote><br class="">I have a dream, that ExpressibleByStringInterpolation would allow to distinguish literal segments and embedded inputs.<br class=""><br class="">Today, the documentation of this protocol [1] says:<br class=""><br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>"One cookie: $\(price), \(number) cookies: $\(price * number)."<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>// <=><br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>let message = String(stringInterpolation:<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>String(stringInterpolationSegment: "One cookie: $"),<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>String(stringInterpolationSegment: price),<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>String(stringInterpolationSegment: ", "),<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>String(stringInterpolationSegment: number),<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>String(stringInterpolationSegment: " cookies: $"),<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>String(stringInterpolationSegment: price * number),<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>String(stringInterpolationSegment: "."))<br class=""><br class="">This means that ExpressibleByStringInterpolation can't distinguish "foo" from `bar` in "foo\(bar)".<br class=""><br class="">If this distinction were possible, some nice features could emerge, such as context-sensitive escaping:<br class=""><br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>// func render(_ html: HTML)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>let title = "<script>boom();</script>"<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>render("<h1>\(title)</h1>") // escapes input<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>// func query(_ sql: SQL)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>let name = "Robert'); DROP TABLE students; --"<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>query("SELECT * FROM students WHERE name = \(name)") // avoids SQL injection<br class=""><br class="">Ideally, a solution for multi-line literals (for strings and interpolated strings) would be found, too.<br class=""><br class="">I wish the manifesto would address these topics as well :-)<br class=""><br class="">Regards,<br class="">Gwendal Roué<br class=""><br class="">[1] <a href="https://developer.apple.com/reference/swift/expressiblebystringinterpolation" class="">https://developer.apple.com/reference/swift/expressiblebystringinterpolation</a><br class=""><br class="">_______________________________________________<br class="">swift-evolution mailing list<br class=""><a href="mailto:swift-evolution@swift.org" class="">swift-evolution@swift.org</a><br class="">https://lists.swift.org/mailman/listinfo/swift-evolution<br class=""></div></div></blockquote></div><br class=""></div></div></div></div></body></html>