diff options
author | Alex Wennerberg <alex@alexwennerberg.com> | 2021-05-17 12:33:47 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-17 21:33:47 +0200 |
commit | c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8 (patch) | |
tree | fde52a1df9c6e4b4e307311e27c7fcf84c074ac4 /askama_iron/LICENSE-APACHE | |
parent | 92df4d1fe49e8fde5ca13f13b8236102bc16b969 (diff) | |
download | askama-c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8.tar.gz askama-c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8.tar.bz2 askama-c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8.zip |
Remove forward-slash escape (#486)
This was based off of the OWASP XSS prevention cheat sheet --
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary
However, there isn't really any attack vector based on forward slash alone, and
it's being removed in the next version of that document.
> There is no proof that escaping forward slash will improve
> defense against XSS, if all other special characters are escaped
> properly, but it forces developers to use non-standard implementation of
> the HTML escaping, what increases the risk of the mistake and makes the
> implementation harder.
https://github.com/OWASP/CheatSheetSeries/pull/516
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions