Html escaping for security: howto in D?
Fitz
fitz at figmentengine.com
Mon Jul 6 12:26:01 UTC 2020
On Monday, 6 July 2020 at 11:56:17 UTC, Fitz wrote:
> Hello (I am a newbie to dlang)
>
> What's the recommended way to escape user input when outputting
> html?
>
> intent: to stop XSS/etc, see
> https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
>
> thanks in advance!
>
> Fitz
looks like this forum uses
https://github.com/CyberShadow/ae/blob/master/utils/text/html.d
to do escaping. This code only escape 4/6 characters, not these:
' --> '
/ --> /
which looks risky?, if its storeed in "$encode", given
<div class='$encoded'>hello, world</div>
then
$encode="blue' onclick='alert()"
results in:
<div class='blue' onclick='alert()'>hello, world</div>
could be nasty
More information about the Digitalmars-d
mailing list