Html escaping for security: howto in D?
Adam D. Ruppe
destructionator at gmail.com
Wed Jul 8 18:07:34 UTC 2020
On Wednesday, 8 July 2020 at 17:27:25 UTC, Fitz wrote:
> '/' is in on the OSWASP list. you can use it to break out of a
> html tag.
> tbh I can't think about how it can be used?
A javascript string including </script> will end the script
interpreter and then spit out html. So a lot of things will do \/
instead to prevent this.
If you do context-aware encoding though a lot of this goes away.
More information about the Digitalmars-d
mailing list