Html escaping for security: howto in D?

Fitz fitz at figmentengine.com
Tue Jul 7 17:59:21 UTC 2020


On Monday, 6 July 2020 at 15:13:30 UTC, aberba wrote:

> If you want to completely removed all tags, 
> https://code.dlang.org/packages/plain might be better.

seems overkill, just implemented something simple:
// 
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
	string encodeSafely(string input) {
		auto w = appender!string;

		foreach (c; input) {
			switch (c) {
				case '&':
					w ~= "&";
					break;
				case '<':
					w ~= "<";
					break;
				case '>':
					w ~= ">";
					break;
				case '"':
					w ~= """;
					break;
				case '\'':
					w ~= "&#x27;";
					break;
				case '/':
					w ~= "&#x2F;";
					break;
				default:
					w ~= c;
					break;
			}
		}

		return w[];
	}


More information about the Digitalmars-d mailing list