aboutsummaryrefslogtreecommitdiffstats
path: root/askama_escape
diff options
context:
space:
mode:
authorLibravatar Alex Wennerberg <alex@alexwennerberg.com>2021-05-17 12:33:47 -0700
committerLibravatar GitHub <noreply@github.com>2021-05-17 21:33:47 +0200
commitc0e75554d2e7b1f51c26f5af304a7fb64e9a69e8 (patch)
treefde52a1df9c6e4b4e307311e27c7fcf84c074ac4 /askama_escape
parent92df4d1fe49e8fde5ca13f13b8236102bc16b969 (diff)
downloadaskama-c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8.tar.gz
askama-c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8.tar.bz2
askama-c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8.zip
Remove forward-slash escape (#486)
This was based off of the OWASP XSS prevention cheat sheet -- https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary However, there isn't really any attack vector based on forward slash alone, and it's being removed in the next version of that document. > There is no proof that escaping forward slash will improve > defense against XSS, if all other special characters are escaped > properly, but it forces developers to use non-standard implementation of > the HTML escaping, what increases the risk of the mistake and makes the > implementation harder. https://github.com/OWASP/CheatSheetSeries/pull/516
Diffstat (limited to 'askama_escape')
-rw-r--r--askama_escape/src/lib.rs1
1 files changed, 0 insertions, 1 deletions
diff --git a/askama_escape/src/lib.rs b/askama_escape/src/lib.rs
index fcc36c6..577b793 100644
--- a/askama_escape/src/lib.rs
+++ b/askama_escape/src/lib.rs
@@ -129,7 +129,6 @@ impl Escaper for Html {
b'&' => escaping_body!(start, i, fmt, bytes, "&amp;"),
b'"' => escaping_body!(start, i, fmt, bytes, "&quot;"),
b'\'' => escaping_body!(start, i, fmt, bytes, "&#x27;"),
- b'/' => escaping_body!(start, i, fmt, bytes, "&#x2f;"),
_ => (),
}
}