tera icon indicating copy to clipboard operation
tera copied to clipboard
verified publisher icon Keats

escape_html: use literal forward slash

Open 89z opened this issue 5 years ago • 3 comments

Forward slash is not a reserved HTML character, and most major implementations do not encode it.

Fixes #567

89z avatar Nov 06 '20 02:11 89z

This is following OWASP recommendations (https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content) and I don't think escaping it breaks anything

Keats avatar Nov 06 '20 10:11 Keats

Thanks, I'll merge it for the next major version

Keats avatar Dec 02 '20 17:12 Keats