aboutsummaryrefslogtreecommitdiffstats
path: root/askama_escape/Cargo.toml (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Make json filter safeLibravatar René Kijewski2022-02-161-0/+3
| | | | | | | | | | | | | | | | | | | | | Previously the built-in json filter had an issue that made it unsafe to use in HTML data. When used in HTML attributes an attacker who is able to supply an arbitrary string that should be JSON encoded could close the containing HTML element e.g. with `"</div>"`, and write arbitrary HTML code afterwards as long as they use apostrophes instead of quotation marks. The programmer could make this use case safe by explicitly escaping the JSON result: `{{data|json|escape}}`. In a `<script>` context the json filter was not usable at all, because in scripts HTML escaped entities are not parsed outside of XHTML documents. Without using the safe filter an attacker could close the current script using `"</script>"`. This PR fixes the problem by always escaping less-than, greater-than, ampersand, and apostrophe characters using their JSON unicode escape sequence `\u00xx`. Unless the programmer explicitly uses the safe filter, quotation marks are HTML encoded as `&quot`. In scripts the programmer should use the safe filter, otherwise not.
* Remove authors from Cargo metadata (see RFC 3052)Libravatar Dirkjan Ochtman2021-11-241-1/+0
|
* Bump version numbers in anticipation of beta releaseLibravatar Dirkjan Ochtman2021-08-211-1/+1
|
* Add askama_escape README to crate metadataLibravatar Dirkjan Ochtman2020-06-301-1/+2
|
* Bump version numbersLibravatar Dirkjan Ochtman2020-06-301-1/+1
|
* Remove obsolete CI badgesLibravatar Dirkjan Ochtman2020-01-151-2/+0
|
* Bump version numbers to 0.9.0Libravatar Dirkjan Ochtman2020-01-151-1/+1
|
* Update criterion requirement from 0.2 to 0.3Libravatar dependabot-preview[bot]2019-08-261-1/+1
| | | | | | | | Updates the requirements on [criterion](https://github.com/bheisler/criterion.rs) to permit the latest version. - [Release notes](https://github.com/bheisler/criterion.rs/releases) - [Changelog](https://github.com/bheisler/criterion.rs/blob/master/CHANGELOG.md) - [Commits](https://github.com/bheisler/criterion.rs/compare/0.2.0...0.3.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
* Bump versions in anticipation of 0.8.0 releaseLibravatar Dirkjan Ochtman2019-01-171-1/+1
|
* Upgrade to 2018 editionLibravatar Dirkjan Ochtman2018-12-081-0/+1
|
* Move escaping benchmarks into askama_escape crateLibravatar Dirkjan Ochtman2018-11-141-0/+7
|
* Tweak metadata for new askama_escape crateLibravatar Dirkjan Ochtman2018-11-071-2/+9
|
* Clean up unused featuresLibravatar Dirkjan Ochtman2018-11-071-7/+0
|
* Create askama_escape crateLibravatar bott2018-11-071-0/+16