Code

Pug allows you to write inline JavaScript code in your templates. There are three types of code: Unbuffered, Buffered, and Unescaped Buffered.

Unbuffered Code

Unbuffered code starts with -. It does not directly add anything to the output.

  1. - for (var x = 0; x < 3; x++)
  2.   li item
  1. <li>item</li>
  2. <li>item</li>
  3. <li>item</li>

Pug also supports block unbuffered code:

  1. -
  2.   var list = ["Uno", "Dos", "Tres",
  3.           "Cuatro", "Cinco", "Seis"]
  4. each item in list
  5.   li= item
  1. <li>Uno</li>
  2. <li>Dos</li>
  3. <li>Tres</li>
  4. <li>Cuatro</li>
  5. <li>Cinco</li>
  6. <li>Seis</li>

Buffered Code

Buffered code starts with =. It evaluates the JavaScript expression and outputs the result. For security, buffered code is first HTML escaped.

  1. p
  2.   = 'This code is <escaped>!'
  1. <p>This code is &lt;escaped&gt;!</p>

It can also be written inline with attributes, and supports the full range of JavaScript expressions:

  1. p= 'This code is' + ' <escaped>!'
  1. <p>This code is &lt;escaped&gt;!</p>

Unescaped Buffered Code

Unescaped buffered code starts with !=. It evaluates the JavaScript expression and outputs the result. Unescaped buffered code does not perform any escaping, so is unsafe for user input:

  1. p
  2.   != 'This code is <strong>not</strong> escaped!'
  1. <p>This code is <strong>not</strong> escaped!</p>

Unescaped buffered code can also be written inline with attributes, and supports the full range of JavaScript expressions:

  1. p!= 'This code is' + ' <strong>not</strong> escaped!'
  1. <p>This code is <strong>not</strong> escaped!</p>
Caution

Unescaped buffered code can be dangerous. You must be sure to sanitize any userinputs to avoid cross-site scripting (XSS).