Html escaping for security: howto in D?

Adam D. Ruppe destructionator at gmail.com
Wed Jul 8 18:07:34 UTC 2020


On Wednesday, 8 July 2020 at 17:27:25 UTC, Fitz wrote:
> '/' is in on the OSWASP list. you can use it to break out of a 
> html tag.
> tbh I can't think about how it can be used?

A javascript string including </script> will end the script 
interpreter and then spit out html. So a lot of things will do \/ 
instead to prevent this.

If you do context-aware encoding though a lot of this goes away.


More information about the Digitalmars-d mailing list