diff options
author | Dirkjan Ochtman <dirkjan@ochtman.nl> | 2017-09-07 20:42:55 +0200 |
---|---|---|
committer | Dirkjan Ochtman <dirkjan@ochtman.nl> | 2017-09-07 20:42:55 +0200 |
commit | 7c29bf765fd666e61b9bc7d0eb40909b8e9002da (patch) | |
tree | 450263b920a0239ab6d4734dd385e2c1978d068e /askama_shared | |
parent | df2637c0324d2cb3f5925b8595417b08496de4a5 (diff) | |
download | askama-7c29bf765fd666e61b9bc7d0eb40909b8e9002da.tar.gz askama-7c29bf765fd666e61b9bc7d0eb40909b8e9002da.tar.bz2 askama-7c29bf765fd666e61b9bc7d0eb40909b8e9002da.zip |
Extend escaping according to OWASP recommendations
Diffstat (limited to '')
-rw-r--r-- | askama_shared/src/escaping.rs | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/askama_shared/src/escaping.rs b/askama_shared/src/escaping.rs index ed4b3d7..a8a3559 100644 --- a/askama_shared/src/escaping.rs +++ b/askama_shared/src/escaping.rs @@ -42,7 +42,7 @@ impl<T> Display for MarkupDisplay<T> where T: Display { fn escapable(b: &u8) -> bool { - *b == b'<' || *b == b'>' || *b == b'&' + *b == b'<' || *b == b'>' || *b == b'&' || *b == b'"' || *b == b'\'' || *b == b'/' } pub fn escape(s: String) -> String { @@ -57,7 +57,7 @@ pub fn escape(s: String) -> String { } let bytes = s.as_bytes(); - let max_len = bytes.len() + found.len() * 3; + let max_len = bytes.len() + found.len() * 5; let mut res = Vec::<u8>::with_capacity(max_len); let mut start = 0; for idx in &found { @@ -69,6 +69,9 @@ pub fn escape(s: String) -> String { b'<' => { res.extend(b"<"); }, b'>' => { res.extend(b">"); }, b'&' => { res.extend(b"&"); }, + b'"' => { res.extend(b"""); }, + b'\'' => { res.extend(b"'"); }, + b'/' => { res.extend(b"/"); }, _ => panic!("incorrect indexing"), } } |