Wt

Right now, we're doing a simple find and replace when writing out the template text of WTemplate.

However, if we properly use an XML parser, we can do things like:

• Strip comments
• Do context sensitive escaping: right now we always assume variables are in the text body. However, users may use them inside of attributes like this <a href="${var}"></a>. This should be properly escaped as an attribute. Sometimes users may be tempted to use this with untrusted text and cause XSS issues.

It would also be nice to be able to do the following, but they're more advanced, and are actually not really possible within the current API because of the virtual functions of WTemplate:

• Partial template updates when conditions change (we can't really know when they change when conditionValue(...) is overridden, and even templateText() is virtual)
• Retrieve a list of all variables in the template
• Enforce the rule that widgets only occur once in a template

The encode() function can be rolled into this, instead of having multiple passes.