liquid-rust icon indicating copy to clipboard operation
liquid-rust copied to clipboard

Published 20 hours ago verified publisher icon cobalt-org

Escape filter results by default

Open johannhof opened this issue 8 years ago • 1 comments

So this is a pretty large change I think, but as far as I understand the original Liquid HTML escapes everything that goes into filters by default, or something. Someone would have to check what exactly gets escaped in Liquid and do the same escaping in liquid-rust. It just states

It needs to be non evaling and secure. Liquid templates are made so that users can edit them. You don't want to run code on your server which your users wrote.

which is pretty vague.

Could use https://github.com/skade/escapade

johannhof avatar Nov 19 '16 17:11 johannhof

A thought I have on this

  • Add the ability to set a global auto-escape filter on the ParserBuilder
  • Support file-extension overrides of the global auto-escape filter.
    • Until #323 is implemented, this will only work with partial-templates
  • Possibly support the ability to set the autoescape for a template on a one-off basis.

epage avatar Jan 01 '19 01:01 epage