aboutsummaryrefslogtreecommitdiffstats
path: root/askama_shared
diff options
context:
space:
mode:
authorLibravatar Dirkjan Ochtman <dirkjan@ochtman.nl>2017-09-07 20:42:55 +0200
committerLibravatar Dirkjan Ochtman <dirkjan@ochtman.nl>2017-09-07 20:42:55 +0200
commit7c29bf765fd666e61b9bc7d0eb40909b8e9002da (patch)
tree450263b920a0239ab6d4734dd385e2c1978d068e /askama_shared
parentdf2637c0324d2cb3f5925b8595417b08496de4a5 (diff)
downloadaskama-7c29bf765fd666e61b9bc7d0eb40909b8e9002da.tar.gz
askama-7c29bf765fd666e61b9bc7d0eb40909b8e9002da.tar.bz2
askama-7c29bf765fd666e61b9bc7d0eb40909b8e9002da.zip
Extend escaping according to OWASP recommendations
Diffstat (limited to '')
-rw-r--r--askama_shared/src/escaping.rs7
1 files changed, 5 insertions, 2 deletions
diff --git a/askama_shared/src/escaping.rs b/askama_shared/src/escaping.rs
index ed4b3d7..a8a3559 100644
--- a/askama_shared/src/escaping.rs
+++ b/askama_shared/src/escaping.rs
@@ -42,7 +42,7 @@ impl<T> Display for MarkupDisplay<T> where T: Display {
fn escapable(b: &u8) -> bool {
- *b == b'<' || *b == b'>' || *b == b'&'
+ *b == b'<' || *b == b'>' || *b == b'&' || *b == b'"' || *b == b'\'' || *b == b'/'
}
pub fn escape(s: String) -> String {
@@ -57,7 +57,7 @@ pub fn escape(s: String) -> String {
}
let bytes = s.as_bytes();
- let max_len = bytes.len() + found.len() * 3;
+ let max_len = bytes.len() + found.len() * 5;
let mut res = Vec::<u8>::with_capacity(max_len);
let mut start = 0;
for idx in &found {
@@ -69,6 +69,9 @@ pub fn escape(s: String) -> String {
b'<' => { res.extend(b"&lt;"); },
b'>' => { res.extend(b"&gt;"); },
b'&' => { res.extend(b"&amp;"); },
+ b'"' => { res.extend(b"&quot;"); },
+ b'\'' => { res.extend(b"&#x27;"); },
+ b'/' => { res.extend(b"&#x2f;"); },
_ => panic!("incorrect indexing"),
}
}