plush icon indicating copy to clipboard operation
plush copied to clipboard

Published 20 hours ago verified publisher icon gobuffalo

Security: document that escaping is not contextual

Open empijei opened this issue 6 years ago • 4 comments

Escaping is not contextual and HTML escaping is used in every context. This might lead newcomers to think that it is safe to interpolate user controlled data in a page, leading to XSS.

I think it would be better to point out in README or documentation that this package does not aim to protect users from XSS but just implements a rudimentary escaping mechanism.

Since some gophers might be used to html/template (which performs contextual autoescaping) this seems worth pointing out.

(I found a previous similar issue in #79 that might be a signal that this is an issue some other people might have encountered)

empijei avatar Jul 20 '19 10:07 empijei

@markbates wdyt?

empijei avatar Aug 31 '19 16:08 empijei

PRs docs are always welcome.

markbates avatar Aug 31 '19 16:08 markbates

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment. Otherwise, this will be closed in 7 days.

github-actions[bot] avatar Oct 05 '22 03:10 github-actions[bot]

The behavior should be revisited in near future, also the fine grain desciption should be on the document.

sio4 avatar Oct 06 '22 10:10 sio4