Html escaping for security: howto in D?
aberba
karabutaworld at gmail.com
Mon Jul 6 14:57:22 UTC 2020
On Monday, 6 July 2020 at 11:56:17 UTC, Fitz wrote:
> Hello (I am a newbie to dlang)
>
> What's the recommended way to escape user input when outputting
> html?
>
> intent: to stop XSS/etc, see
> https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
>
> thanks in advance!
>
> Fitz
So in D you'll have to do multiple things. The first one is using
some kind of stripTags() as available PHP. I had it in me some
time ago to create such a collection of handy utilities...a very
long long time ago...two yrs 😜. See
https://code.dlang.org/packages/sanival for stripTags()
Its a very limited implementation and uses std.regex which many
people here who are critical about performance will speak
against. I'm yet to see an alternative. So you could use that if
you don't find a better alternative.
That's just the first step.
The second would be to use prepared statements in whatever
database you use if it's vulnerable to such attacks..
SQL injection for instance. Not all databases are.
Third will be to have a server-side validation function which
checks for unexpected characters/tags and issue an error to the
users.
You should probably do the third one first 😀
You could go as deep as you want. But those are how I might do it.
More information about the Digitalmars-d
mailing list