hiccup icon indicating copy to clipboard operation
hiccup copied to clipboard

Published 20 hours ago verified publisher icon weavejester

Escaping attributes, css, javascript, url's

Open danielcompton opened this issue 9 years ago • 1 comments

The Owasp XSS cheatsheet talks about escaping html, attributes, css, javascript, and URLs. It seems like Hiccup does html and url escaping, but doesn't provide functions for escaping the others. Is my understanding correct, and would you be open to a patch for this? I'm not quite sure yet whether it would be possible to integrate it into the escape-html function, or if they would need to be separate functions.

Relates to #122.

danielcompton avatar Feb 04 '16 20:02 danielcompton

The OWASP rules seem rather aggressive. They might conceivably protect against possible bugs in the browser, but they also make the output harder to read. I think I'd want this to be implemented as a non-default option, once #122 is merged.

weavejester avatar Feb 06 '16 04:02 weavejester