inja
inja copied to clipboard
Escape HTML in substituted text
Inja doesn't [seem to] have a way to escape HTML entities in a text substitution. So in any situation where you're displaying a user-provided string in a template, like <div>{{commentText}}</div>
, you're open to an HTML (and JS...) injection attack unless you've already escaped the string before putting it in the JSON context.
It would be very nice if inja came with an escape(str)
function that escaped all HTML meta-characters in str
.
Some template engines escape everything by default, and require you to use a special syntax to bypass it for when you truly want to insert HTML. This is much better from a security standpoint, but has obvious backward-compatibility issues :). Maybe it could be enabled with a flag in the environment?
Here's how Jinja does HTML escaping
I really like the |
pipe syntax for filters; that would be a great feature to add.