askama/askama_escape/src, branch main added poem support escape: simplify literals as suggested by clippy 2023-08-25T11:22:05+00:00 Dirkjan Ochtman dirkjan@ochtman.nl 2023-08-25T07:28:20+00:00 c96fd996bb61f1b65196187ca6774fd6ab4a17b6 






Use lookup table
2023-03-30T12:49:15+00:00

René Kijewski
rene.kijewski@fu-berlin.de

2023-03-30T12:12:15+00:00

3b830b0fee51306f0100bb27292fd8dd09bf08f3












Escape HTML faster
2023-03-30T12:49:15+00:00

René Kijewski
rene.kijewski@fu-berlin.de

2023-03-30T04:28:26+00:00

6daf343e8b1b99cb776e244f9f8e658e1887e633

Escaped HTML characters vary in length. So, in order to select the
correct replacement two variables need to be loaded: The pointer to the
new substring and its length. Because of this the generated code is less
dense than it could be.

With this PR instead of selecting the appropriate `&str`, an `&&str` is
selected. The former consumes two words while the latter consumes only
one. Intuitively one might assume that the double dereference makes the
code slower, but the optimized lookup seems to be so much faster, so
that the change is worth its weight.

Comparing the result of `cargo bench` (best out of three runs for both):

```text
Old:  [4.3592 µs 4.3675 µs 4.3764 µs]
New:  [3.8691 µs 3.8766 µs 3.8860 µs]
Diff: [-11.24 %  -11.24 %  -12.21 % ]
```





Escaped HTML characters vary in length. So, in order to select the
correct replacement two variables need to be loaded: The pointer to the
new substring and its length. Because of this the generated code is less
dense than it could be.

With this PR instead of selecting the appropriate `&str`, an `&&str` is
selected. The former consumes two words while the latter consumes only
one. Intuitively one might assume that the double dereference makes the
code slower, but the optimized lookup seems to be so much faster, so
that the change is worth its weight.

Comparing the result of `cargo bench` (best out of three runs for both):

```text
Old:  [4.3592 µs 4.3675 µs 4.3764 µs]
New:  [3.8691 µs 3.8766 µs 3.8860 µs]
Diff: [-11.24 %  -11.24 %  -12.21 % ]
```







Apply clippy suggestions for 1.67 (#769)
2023-01-30T08:51:23+00:00

Dirkjan Ochtman
dirkjan@ochtman.nl

2023-01-30T08:51:23+00:00

3003d86264680433e789d2726d0d12d2c6267c40












Remove `unsafe { … }` code from askama_escape
2022-04-13T11:18:27+00:00

René Kijewski
kijewski@library.vetmed.fu-berlin.de

2022-04-13T09:50:10+00:00

fc779e22c3bfa0e94df208a88a361b99e28a9129

Using only safe code is actually same as fast as the previous "unsafe"
code according to the crate's benchmark.

The code was extracted from [markup]'s escape function in [escape.rs],
written by Utkarsh Kukreti <utkarshkukreti@gmail.com>, licensed as
`MIT OR Apache-2.0`.

[markup]: https://crates.io/crates/markup
[escape.rs]: https://github.com/utkarshkukreti/markup.rs/blob/8ec40428483790b2c296e907e7be4147b157fe8f/markup/src/escape.rs#L1-L21





Using only safe code is actually same as fast as the previous "unsafe"
code according to the crate's benchmark.

The code was extracted from [markup]'s escape function in [escape.rs],
written by Utkarsh Kukreti <utkarshkukreti@gmail.com>, licensed as
`MIT OR Apache-2.0`.

[markup]: https://crates.io/crates/markup
[escape.rs]: https://github.com/utkarshkukreti/markup.rs/blob/8ec40428483790b2c296e907e7be4147b157fe8f/markup/src/escape.rs#L1-L21







Make json filter safe
2022-02-16T13:51:39+00:00

René Kijewski
kijewski@library.vetmed.fu-berlin.de

2022-02-01T14:32:37+00:00

29f0c0607ad3d25491f4c4a6ca19b463610ae92d

Previously the built-in json filter had an issue that made it unsafe to
use in HTML data. When used in HTML attributes an attacker who is able
to supply an arbitrary string that should be JSON encoded could close
the containing HTML element e.g. with `"</div>"`, and write arbitrary
HTML code afterwards as long as they use apostrophes instead of
quotation marks. The programmer could make this use case safe by
explicitly escaping the JSON result: `{{data|json|escape}}`.

In a `<script>` context the json filter was not usable at all, because
in scripts HTML escaped entities are not parsed outside of XHTML
documents. Without using the safe filter an attacker could close the
current script using `"</script>"`.

This PR fixes the problem by always escaping less-than, greater-than,
ampersand, and apostrophe characters using their JSON unicode escape
sequence `\u00xx`. Unless the programmer explicitly uses the safe
filter, quotation marks are HTML encoded as `&quot`. In scripts the
programmer should use the safe filter, otherwise not.





Previously the built-in json filter had an issue that made it unsafe to
use in HTML data. When used in HTML attributes an attacker who is able
to supply an arbitrary string that should be JSON encoded could close
the containing HTML element e.g. with `"</div>"`, and write arbitrary
HTML code afterwards as long as they use apostrophes instead of
quotation marks. The programmer could make this use case safe by
explicitly escaping the JSON result: `{{data|json|escape}}`.

In a `<script>` context the json filter was not usable at all, because
in scripts HTML escaped entities are not parsed outside of XHTML
documents. Without using the safe filter an attacker could close the
current script using `"</script>"`.

This PR fixes the problem by always escaping less-than, greater-than,
ampersand, and apostrophe characters using their JSON unicode escape
sequence `\u00xx`. Unless the programmer explicitly uses the safe
filter, quotation marks are HTML encoded as `&quot`. In scripts the
programmer should use the safe filter, otherwise not.







Add `#![deny(unreachable_pub)]` to all crates
2022-01-06T12:05:24+00:00

René Kijewski
kijewski@library.vetmed.fu-berlin.de

2022-01-05T18:41:23+00:00

9dfe4cb39a62c543c8680194cf586aa486066ba1












Omit implicit lifetimes
2022-01-06T12:05:24+00:00

René Kijewski
kijewski@library.vetmed.fu-berlin.de

2022-01-05T18:30:38+00:00

f4254dedcfcfce4000abc91b4860c36d3fb91430












Add `#[derive(Debug)]` for public types
2022-01-06T12:05:24+00:00

René Kijewski
kijewski@library.vetmed.fu-berlin.de

2022-01-05T18:27:28+00:00

697f92dc273ed82da8012216079361853c2457f2












Fix suggestions from nightly clippy
2021-12-22T11:30:43+00:00

Dirkjan Ochtman
dirkjan@ochtman.nl

2021-12-22T07:36:07+00:00

4d936524ba4b595a660e63650495fa96e709550a