Html escaping for security: howto in D?
Vladimir Panteleev
thecybershadow.lists at gmail.com
Mon Jul 6 12:39:42 UTC 2020
On Monday, 6 July 2020 at 12:26:01 UTC, Fitz wrote:
> looks like this forum uses
> https://github.com/CyberShadow/ae/blob/master/utils/text/html.d
> to do escaping. This code only escape 4/6 characters, not these:
> ' --> '
> / --> /
> which looks risky?, if its storeed in "$encode", given
> <div class='$encoded'>hello, world</div>
> then
> $encode="blue' onclick='alert()"
> results in:
> <div class='blue' onclick='alert()'>hello, world</div>
> could be nasty
If you don't escape single quotes, then don't use single quotes
to delimit attributes.
I fixed the function to also escape single quotes. Thanks for the
report. But, I think you should look at Vibe.d or Hunt for a more
complete framework.
More information about the Digitalmars-d
mailing list