aboutsummaryrefslogtreecommitdiffstats
path: root/book/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add documentation for "config" parameterLibravatar Guillaume Gomez2022-04-211-2/+9
|
* Add documentation for suppress_whitespaceLibravatar Guillaume Gomez2022-04-211-1/+28
|
* Book: document markdown filterLibravatar René Kijewski2022-02-211-0/+25
|
* Book: add TOC to filtersLibravatar René Kijewski2022-02-211-1/+48
|
* Make json filter safeLibravatar René Kijewski2022-02-161-25/+47
| | | | | | | | | | | | | | | | | | | | | Previously the built-in json filter had an issue that made it unsafe to use in HTML data. When used in HTML attributes an attacker who is able to supply an arbitrary string that should be JSON encoded could close the containing HTML element e.g. with `"</div>"`, and write arbitrary HTML code afterwards as long as they use apostrophes instead of quotation marks. The programmer could make this use case safe by explicitly escaping the JSON result: `{{data|json|escape}}`. In a `<script>` context the json filter was not usable at all, because in scripts HTML escaped entities are not parsed outside of XHTML documents. Without using the safe filter an attacker could close the current script using `"</script>"`. This PR fixes the problem by always escaping less-than, greater-than, ampersand, and apostrophe characters using their JSON unicode escape sequence `\u00xx`. Unless the programmer explicitly uses the safe filter, quotation marks are HTML encoded as `&quot`. In scripts the programmer should use the safe filter, otherwise not.
* Update README.md, sync with the bookLibravatar René Kijewski2022-02-021-2/+3
|
* Add Axum integrationLibravatar Michael Alyn Miller2021-11-271-0/+12
|
* Updated book to include optional escaper for escape filterLibravatar vallentin2021-11-191-0/+22
|
* Remove the askama_iron integrationLibravatar Dirkjan Ochtman2021-08-051-12/+0
| | | | | | | This web framework seems not to have been updated for quite a while, and its current version appears to depend on vulnerable crates. Remove it for now. If someone wants to fix up Iron upstream and reinstate this, I'd be happy to review your PR.
* updated the book to describe the new paragraphbreaks filterLibravatar mbuscemi2021-03-221-0/+18
|
* Added missing punctuation and backticksLibravatar vallentin2021-01-061-14/+16
|
* Added abs filter to bookLibravatar vallentin2021-01-061-0/+14
|
* Updated book to include tojson aliasLibravatar vallentin2020-12-301-1/+3
|
* Updated book to be on par with readmeLibravatar vallentin2020-12-261-6/+1
|
* Updated book to include let shadowLibravatar vallentin2020-12-251-1/+11
|
* Updated book to include nested commentsLibravatar vallentin2020-12-181-1/+10
|
* Updated book to include set aliasLibravatar vallentin2020-12-161-1/+3
|
* Fix small wording issues in bookLibravatar Fabian Würfl2020-11-211-2/+2
|
* Fix links and actions which were broken since the default branch was renamed ↵Libravatar jake2020-10-262-7/+7
| | | | from master to main
* Use efficient method for nested template renderingLibravatar Dirkjan Ochtman2020-08-251-2/+3
|
* Fix filter docs to clarify whitespace handlingLibravatar Dirkjan Ochtman2020-07-231-16/+18
|
* askama tideLibravatar Jacob Rothstein2020-07-141-0/+9
|
* Prune duplicate documentationLibravatar Dirkjan Ochtman2020-06-301-2/+2
|
* Single capital in section titlesLibravatar Dirkjan Ochtman2020-06-301-3/+3
|
* Move optional filter documentation into filters sectionLibravatar Dirkjan Ochtman2020-06-302-25/+26
|
* Initial Askama Book (#332)Libravatar cetra32020-06-299-0/+1011