Code
Pug allows you to write inline JavaScript code in your templates. There are three types of code: Unbuffered, Buffered, and Unescaped Buffered.
Unbuffered Code
Unbuffered code starts with -
. It does not directly add anything to the output.
Pug also supports block unbuffered code:
Buffered Code
Buffered code starts with =
. It evaluates the JavaScript expression and outputs the result. For security, buffered code is first HTML escaped.
It can also be written inline (after any attributes), and supports the full range of JavaScript expressions:
Unescaped Buffered Code
Unescaped buffered code starts with !=
. It evaluates the JavaScript expression and outputs the result. Unescaped buffered code does not perform any escaping, so is unsafe for user input:
Unescaped buffered code can also be written inline with attributes, and supports the full range of JavaScript expressions:
Caution
Unescaped buffered code can be dangerous. You must be sure to sanitize any user inputs to avoid cross-site scripting (XSS).