Html escaping for security: howto in D?
bauss
jj_1337 at live.dk
Tue Jul 7 18:31:16 UTC 2020
On Tuesday, 7 July 2020 at 18:30:38 UTC, bauss wrote:
> On Tuesday, 7 July 2020 at 17:59:21 UTC, Fitz wrote:
>> On Monday, 6 July 2020 at 15:13:30 UTC, aberba wrote:
>>
>>> If you want to completely removed all tags,
>>> https://code.dlang.org/packages/plain might be better.
>>
>> seems overkill, just implemented something simple:
>> //
>> https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
>> string encodeSafely(string input) {
>> auto w = appender!string;
>>
>> foreach (c; input) {
>> switch (c) {
>> case '&':
>> w ~= "&";
>> break;
>> case '<':
>> w ~= "<";
>> break;
>> case '>':
>> w ~= ">";
>> break;
>> case '"':
>> w ~= """;
>> break;
>> case '\'':
>> w ~= "'";
>> break;
>> case '/':
>> w ~= "/";
>> break;
>> default:
>> w ~= c;
>> break;
>> }
>> }
>>
>> return w[];
>> }
>
> There is no reason to escape / and it might break some parsers
> for links etc. You should only escape <, >, &, " and '
Oh and control characters (basically anything not tabs below
space in ASCII)
More information about the Digitalmars-d
mailing list