Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Make json filter safe | René Kijewski | 2022-02-16 | 1 | -0/+3 |
| | | | | | | | | | | | | | | | | | | | | | Previously the built-in json filter had an issue that made it unsafe to use in HTML data. When used in HTML attributes an attacker who is able to supply an arbitrary string that should be JSON encoded could close the containing HTML element e.g. with `"</div>"`, and write arbitrary HTML code afterwards as long as they use apostrophes instead of quotation marks. The programmer could make this use case safe by explicitly escaping the JSON result: `{{data|json|escape}}`. In a `<script>` context the json filter was not usable at all, because in scripts HTML escaped entities are not parsed outside of XHTML documents. Without using the safe filter an attacker could close the current script using `"</script>"`. This PR fixes the problem by always escaping less-than, greater-than, ampersand, and apostrophe characters using their JSON unicode escape sequence `\u00xx`. Unless the programmer explicitly uses the safe filter, quotation marks are HTML encoded as `"`. In scripts the programmer should use the safe filter, otherwise not. | ||||
* | Remove authors from Cargo metadata (see RFC 3052) | Dirkjan Ochtman | 2021-11-24 | 1 | -1/+0 |
| | |||||
* | Bump version numbers in anticipation of beta release | Dirkjan Ochtman | 2021-08-21 | 1 | -1/+1 |
| | |||||
* | Add askama_escape README to crate metadata | Dirkjan Ochtman | 2020-06-30 | 1 | -1/+2 |
| | |||||
* | Bump version numbers | Dirkjan Ochtman | 2020-06-30 | 1 | -1/+1 |
| | |||||
* | Remove obsolete CI badges | Dirkjan Ochtman | 2020-01-15 | 1 | -2/+0 |
| | |||||
* | Bump version numbers to 0.9.0 | Dirkjan Ochtman | 2020-01-15 | 1 | -1/+1 |
| | |||||
* | Update criterion requirement from 0.2 to 0.3 | dependabot-preview[bot] | 2019-08-26 | 1 | -1/+1 |
| | | | | | | | | Updates the requirements on [criterion](https://github.com/bheisler/criterion.rs) to permit the latest version. - [Release notes](https://github.com/bheisler/criterion.rs/releases) - [Changelog](https://github.com/bheisler/criterion.rs/blob/master/CHANGELOG.md) - [Commits](https://github.com/bheisler/criterion.rs/compare/0.2.0...0.3.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> | ||||
* | Bump versions in anticipation of 0.8.0 release | Dirkjan Ochtman | 2019-01-17 | 1 | -1/+1 |
| | |||||
* | Upgrade to 2018 edition | Dirkjan Ochtman | 2018-12-08 | 1 | -0/+1 |
| | |||||
* | Move escaping benchmarks into askama_escape crate | Dirkjan Ochtman | 2018-11-14 | 1 | -0/+7 |
| | |||||
* | Tweak metadata for new askama_escape crate | Dirkjan Ochtman | 2018-11-07 | 1 | -2/+9 |
| | |||||
* | Clean up unused features | Dirkjan Ochtman | 2018-11-07 | 1 | -7/+0 |
| | |||||
* | Create askama_escape crate | bott | 2018-11-07 | 1 | -0/+16 |