This is the essence of the problem! Yaml and templates are just distractions. It just boils down to the fact that "string" is a very general type and we use it lazily.
My personal rule: Every time a value is inserted into a string it must be properly encoded.
I wrote a full blog post around this a while back https://kevincox.ca/2022/02/08/escape-everything/. But the TL;DR is that every string has a format which needs to be respected wether that be HTML, SQL or human-readable terminal output. Every time you put some value into a string you should be properly encoding it into that format. But we rarely do.
> My personal rule: Every time a value is inserted into a string it must be properly encoded.
This is how Django templates have done it for over a decade. You have to go out of your way to tell it not to escape the values if for some reason you need that.
My personal rule: Every time a value is inserted into a string it must be properly encoded.
I wrote a full blog post around this a while back https://kevincox.ca/2022/02/08/escape-everything/. But the TL;DR is that every string has a format which needs to be respected wether that be HTML, SQL or human-readable terminal output. Every time you put some value into a string you should be properly encoding it into that format. But we rarely do.