Html escaping for security: howto in D?
aberba
karabutaworld at gmail.com
Wed Jul 8 08:47:20 UTC 2020
On Wednesday, 8 July 2020 at 05:29:16 UTC, Kagamin wrote:
> On Tuesday, 7 July 2020 at 20:10:14 UTC, aberba wrote:
>> unittest
>> {
>> assert(stripTags("<html><b>bold</b></html>") == "bold");
>> assert(stripTags("<html><b>bold</b></html>", ["<html>"]) ==
>> "<html>bold</html>");
>> }
>
> Meh, skype strips tags and it's infuriating, basically any text
> that contains < or > disappears.
Its not perfect and there surely can be a better implementation
that covers those edge cases.
However stripTags() has its place. Its a very used function
available in PHP among others for specific use cases.
Now I can't stress "specific" use case enough. Sometimes
removing tags...those not whitelisted...is the desired behaviour.
You don't want to encode, you simply want to remove them.
These days manual tags entry is phasing out for rich text
editors. And the rest are using markdown.
Nevertheless, stripTags() has its place.
More information about the Digitalmars-d
mailing list