Remove forward-slash escape (#486)

This was based off of the OWASP XSS prevention cheat sheet --
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary

However, there isn't really any attack vector based on forward slash alone, and
it's being removed in the next version of that document.

> There is no proof that escaping forward slash will improve
> defense against XSS, if all other special characters are escaped
> properly, but it forces developers to use non-standard implementation of
> the HTML escaping, what increases the risk of the mistake and makes the
> implementation harder.

https://github.com/OWASP/CheatSheetSeries/pull/516

1 files changed, 0 insertions, 1 deletions

diff --git a/askama_escape/src/lib.rs b/askama_escape/src/lib.rs
index fcc36c6..577b793 100644
--- a/askama_escape/src/lib.rs
+++ b/askama_escape/src/lib.rs
@@ -129,7 +129,6 @@ impl Escaper for Html {
                     b'&' => escaping_body!(start, i, fmt, bytes, "&"),
                     b'"' => escaping_body!(start, i, fmt, bytes, """),
                     b'\'' => escaping_body!(start, i, fmt, bytes, "'"),
-                    b'/' => escaping_body!(start, i, fmt, bytes, "/"),
                     _ => (),
                 }
             }