Remove forward-slash escape (#486)

This was based off of the OWASP XSS prevention cheat sheet -- https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary However, there isn't really any attack vector based on forward slash alone, and it's being removed in the next version of that document. > There is no proof that escaping forward slash will improve > defense against XSS, if all other special characters are escaped > properly, but it forces developers to use non-standard implementation of > the HTML escaping, what increases the risk of the mistake and makes the > implementation harder. https://github.com/OWASP/CheatSheetSeries/pull/516
author: Alex Wennerberg <alex@alexwennerberg.com> 2021-05-17 12:33:47 -0700
committer: GitHub <noreply@github.com> 2021-05-17 21:33:47 +0200
commit: c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8 (patch)
tree: fde52a1df9c6e4b4e307311e27c7fcf84c074ac4
parent: 92df4d1fe49e8fde5ca13f13b8236102bc16b969 (diff)
download: askama-c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8.tar.gz
askama-c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8.tar.bz2
askama-c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8.zip
3 files changed, 3 insertions, 7 deletions
diff --git a/askama_escape/src/lib.rs b/askama_escape/src/lib.rs
index fcc36c6..577b793 100644
--- a/askama_escape/src/lib.rs
+++ b/askama_escape/src/lib.rs
@@ -129,7 +129,6 @@ impl Escaper for Html {
                     b'&' => escaping_body!(start, i, fmt, bytes, "&amp;"),
                     b'"' => escaping_body!(start, i, fmt, bytes, "&quot;"),
                     b'\'' => escaping_body!(start, i, fmt, bytes, "&#x27;"),
-                    b'/' => escaping_body!(start, i, fmt, bytes, "&#x2f;"),
                     _ => (),
                 }
             }
diff --git a/testing/tests/filters.rs b/testing/tests/filters.rs
index 22a8fa9..1f382f6 100644
--- a/testing/tests/filters.rs
+++ b/testing/tests/filters.rs
@@ -21,7 +21,7 @@ fn filter_escape() {
     };
     assert_eq!(
         s.render().unwrap(),
-        "&#x2f;&#x2f; my &lt;html&gt; is &quot;unsafe&quot; &amp; \
+        "// my &lt;html&gt; is &quot;unsafe&quot; &amp; \
          should be &#x27;escaped&#x27;"
     );
 }
diff --git a/testing/tests/simple.rs b/testing/tests/simple.rs
index b6dd31a..c712900 100644
--- a/testing/tests/simple.rs
+++ b/testing/tests/simple.rs
@@ -40,12 +40,9 @@ struct EscapeTemplate<'a> {
 
 #[test]
 fn test_escape() {
-    let s = EscapeTemplate { name: "<>&\"'/" };
+    let s = EscapeTemplate { name: "<>&\"'" };
 
-    assert_eq!(
-        s.render().unwrap(),
-        "Hello, &lt;&gt;&amp;&quot;&#x27;&#x2f;!"
-    );
+    assert_eq!(s.render().unwrap(), "Hello, &lt;&gt;&amp;&quot;&#x27;!");
 }
 
 #[derive(Template)]
author	Alex Wennerberg <alex@alexwennerberg.com>	2021-05-17 12:33:47 -0700
committer	GitHub <noreply@github.com>	2021-05-17 21:33:47 +0200
commit	c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8 (patch)
tree	fde52a1df9c6e4b4e307311e27c7fcf84c074ac4
parent	92df4d1fe49e8fde5ca13f13b8236102bc16b969 (diff)
download	askama-c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8.tar.gz askama-c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8.tar.bz2 askama-c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8.zip