Html escaping for security: howto in D?

Tue Jul 7 18:30:38 UTC 2020

On Tuesday, 7 July 2020 at 17:59:21 UTC, Fitz wrote:
> On Monday, 6 July 2020 at 15:13:30 UTC, aberba wrote:
>
>> If you want to completely removed all tags, 
>> https://code.dlang.org/packages/plain might be better.
>
> seems overkill, just implemented something simple:
> // 
> https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
> 	string encodeSafely(string input) {
> 		auto w = appender!string;
>
> 		foreach (c; input) {
> 			switch (c) {
> 				case '&':
> 					w ~= "&";
> 					break;
> 				case '<':
> 					w ~= "<";
> 					break;
> 				case '>':
> 					w ~= ">";
> 					break;
> 				case '"':
> 					w ~= """;
> 					break;
> 				case '\'':
> 					w ~= "&#x27;";
> 					break;
> 				case '/':
> 					w ~= "&#x2F;";
> 					break;
> 				default:
> 					w ~= c;
> 					break;
> 			}
> 		}
>
> 		return w[];
> 	}

There is no reason to escape / and it might break some parsers 
for links etc. You should only escape <, >, &, " and '