Html escaping for security: howto in D?
Fitz
fitz at figmentengine.com
Mon Jul 6 12:42:50 UTC 2020
On Monday, 6 July 2020 at 12:39:42 UTC, Vladimir Panteleev wrote:
> On Monday, 6 July 2020 at 12:26:01 UTC, Fitz wrote:
>> looks like this forum uses
>> https://github.com/CyberShadow/ae/blob/master/utils/text/html.d to do escaping. This code only escape 4/6 characters, not these:
>> ' --> '
>> / --> /
>> which looks risky?, if its storeed in "$encode", given
>> <div class='$encoded'>hello, world</div>
>> then
>> $encode="blue' onclick='alert()"
>> results in:
>> <div class='blue' onclick='alert()'>hello, world</div>
>> could be nasty
>
> If you don't escape single quotes, then don't use single quotes
> to delimit attributes.
>
> I fixed the function to also escape single quotes. Thanks for
> the report. But, I think you should look at Vibe.d or Hunt for
> a more complete framework.
thank you! I'll have a look at them to see what they provide
More information about the Digitalmars-d
mailing list