test: escaped and unescaped

PostgREST · Dec 13, 2023 · 2f67ca9 · 2f67ca9
1 parent 5f50f03
commit 2f67ca9
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -16,6 +16,8 @@ Logic-less templates for Postgres. Tested on Postgres 12, 13, 14, 15, 16.
 
 ### Variables
 
+Variables are handled as per the [mustache spec](https://mustache.github.io/mustache.5.html), a `{{key}}` variable will be interpolated.
+
 ```sql
 create or replace function win_money(you text, qt money, at timestamptz) returns text as $$
 Hello {{you}}!
@@ -30,6 +32,32 @@ select win_money('Slonik', '12000', now());
 (1 row)
 ```
 
+#### Escaped and Unescaped
+
+A double mustache `{{key}}` will be escaped and a triple mustache `{{{key}}}` will not be escaped.
+
+```sql
+create or replace function escape_me(tag text) returns text as $$
+{{tag}}
+$$ language plmustache;
+
+select escape_me('<script>evil()</script>');
+              escape_me
+-------------------------------------
+ &lt;script&gt;evil()&lt;/script&gt;
+(1 row)
+
+create or replace function do_not_escape_me(tag text) returns text as $$
+{{{tag}}}
+$$ language plmustache;
+
+select do_not_escape_me('<script>evil()</script>');
+    do_not_escape_me
+-------------------------
+ <script>evil()</script>
+(1 row)
+```
+
 ### Sections
 
 ```sql

diff --git a/test/expected/interpolation.out b/test/expected/interpolation.out
@@ -105,3 +105,21 @@ select hello_w_comment('ignored');
  Hello, ignored
 (1 row)
 
+create or replace function escape_me(tag text) returns text as $$
+{{tag}}
+$$ language plmustache;
+select escape_me('<script>evil()</script>');
+              escape_me              
+-------------------------------------
+ &lt;script&gt;evil()&lt;/script&gt;
+(1 row)
+
+create or replace function do_not_escape_me(tag text) returns text as $$
+{{{tag}}}
+$$ language plmustache;
+select do_not_escape_me('<script>evil()</script>');
+    do_not_escape_me     
+-------------------------
+ <script>evil()</script>
+(1 row)
+
diff --git a/test/sql/interpolation.sql b/test/sql/interpolation.sql
@@ -66,3 +66,15 @@ Hello,{{! ignore me }} {{x}}
 $$ language plmustache;
 
 select hello_w_comment('ignored');
+
+create or replace function escape_me(tag text) returns text as $$
+{{tag}}
+$$ language plmustache;
+
+select escape_me('<script>evil()</script>');
+
+create or replace function do_not_escape_me(tag text) returns text as $$
+{{{tag}}}
+$$ language plmustache;
+
+select do_not_escape_me('<script>evil()</script>');