Title here
Summary here
Pug is a simple templating language that lets you generate HTML markup with plain JavaScript.
By default, all attributes are escaped. If you need to use special characters, use !=
instead of =
.
div(escaped="<code>")
=> <div escaped="<code>"></div>
div(unescaped!="<code>")
=> <div unescaped="<code>"></div>
p = 'This code <strong>is</strong> escaped!'
=> <p>This code <strong>is</strong> !</p>
p != 'This code is' + ' <strong>not</strong> escaped!'
=> This code is <strong>not</strong> escaped!
div#foo(data-bar="foo")&attributes({'data-foo': 'bar'})
=> <div id="foo" data-bar="foo" data-foo="bar"></div>
Attributes applied using
&attributes
are not automatically escaped.
Safe:
p You're logged in as #{user.name}
Unsafe:
p You're logged in as !{user.name}
a(href="javascript:alert(document.domain)")