diff options
-rw-r--r-- | askama/src/filters/mod.rs | 5 | ||||
-rw-r--r-- | book/src/template_syntax.md | 4 |
2 files changed, 6 insertions, 3 deletions
diff --git a/askama/src/filters/mod.rs b/askama/src/filters/mod.rs index a4572e3..7312cd5 100644 --- a/askama/src/filters/mod.rs +++ b/askama/src/filters/mod.rs @@ -59,11 +59,14 @@ where Ok(MarkupDisplay::new_safe(v, e)) } -/// Escapes `&`, `<` and `>` in strings +/// Escapes strings according to the escape mode. /// /// Askama will automatically insert the first (`Escaper`) argument, /// so this filter only takes a single argument of any type that implements /// `Display`. +/// +/// It is possible to optionally specify an escaper other than the default for +/// the template's extension, like `{{ val|escape("txt") }}`. pub fn escape<E, T>(e: E, v: T) -> Result<MarkupDisplay<E, T>> where E: Escaper, diff --git a/book/src/template_syntax.md b/book/src/template_syntax.md index 23b5dea..d270800 100644 --- a/book/src/template_syntax.md +++ b/book/src/template_syntax.md @@ -155,12 +155,12 @@ or `xml`. When specifying a template as `source` in an attribute, the you can specify an escape mode explicitly for your template by setting the `escape` attribute parameter value (to `none` or `html`). -Askama escapes `<`, `>`, `&`, `"`, `'`, `\` and `/`, according to the +Askama escapes `<`, `>`, `&`, `"`, and `'`, according to the [OWASP escaping recommendations][owasp]. Use the `safe` filter to prevent escaping for a single expression, or the `escape` (or `e`) filter to escape a single expression in an unescaped context. -[owasp]: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content +[owasp]: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-html-contexts ```rust #[derive(Template)] |