Commit message (Collapse) | Author | Files | Lines | ||
---|---|---|---|---|---|
2022-04-26 | Add documentation for `~` and `"minimize"` | Guillaume Gomez | 1 | -3/+18 | |
2022-04-21 | Update `whitespace` documentation | Guillaume Gomez | 1 | -2/+2 | |
2022-04-21 | Add documentation for "config" parameter | Guillaume Gomez | 1 | -2/+9 | |
2022-04-21 | Add documentation for suppress_whitespace | Guillaume Gomez | 1 | -1/+28 | |
2022-02-21 | Book: document markdown filter | René Kijewski | 1 | -0/+25 | |
2022-02-21 | Book: add TOC to filters | René Kijewski | 1 | -1/+48 | |
2022-02-16 | Make json filter safe | René Kijewski | 1 | -25/+47 | |
Previously the built-in json filter had an issue that made it unsafe to use in HTML data. When used in HTML attributes an attacker who is able to supply an arbitrary string that should be JSON encoded could close the containing HTML element e.g. with `"</div>"`, and write arbitrary HTML code afterwards as long as they use apostrophes instead of quotation marks. The programmer could make this use case safe by explicitly escaping the JSON result: `{{data|json|escape}}`. In a `<script>` context the json filter was not usable at all, because in scripts HTML escaped entities are not parsed outside of XHTML documents. Without using the safe filter an attacker could close the current script using `"</script>"`. This PR fixes the problem by always escaping less-than, greater-than, ampersand, and apostrophe characters using their JSON unicode escape sequence `\u00xx`. Unless the programmer explicitly uses the safe filter, quotation marks are HTML encoded as `"`. In scripts the programmer should use the safe filter, otherwise not. | |||||
2022-02-02 | Update README.md, sync with the book | René Kijewski | 1 | -2/+3 | |
2021-11-27 | Add Axum integration | Michael Alyn Miller | 1 | -0/+12 | |
2021-11-19 | Updated book to include optional escaper for escape filter | vallentin | 1 | -0/+22 | |
2021-08-05 | Remove the askama_iron integration | Dirkjan Ochtman | 1 | -12/+0 | |
This web framework seems not to have been updated for quite a while, and its current version appears to depend on vulnerable crates. Remove it for now. If someone wants to fix up Iron upstream and reinstate this, I'd be happy to review your PR. | |||||
2021-03-22 | updated the book to describe the new paragraphbreaks filter | mbuscemi | 1 | -0/+18 | |
2021-01-06 | Added missing punctuation and backticks | vallentin | 1 | -14/+16 | |
2021-01-06 | Added abs filter to book | vallentin | 1 | -0/+14 | |
2020-12-30 | Updated book to include tojson alias | vallentin | 1 | -1/+3 | |
2020-12-26 | Updated book to be on par with readme | vallentin | 1 | -6/+1 | |
2020-12-25 | Updated book to include let shadow | vallentin | 1 | -1/+11 | |
2020-12-18 | Updated book to include nested comments | vallentin | 1 | -1/+10 | |
2020-12-16 | Updated book to include set alias | vallentin | 1 | -1/+3 | |
2020-11-21 | Fix small wording issues in book | Fabian Würfl | 1 | -2/+2 | |
2020-10-26 | Fix links and actions which were broken since the default branch was renamed ↵ | jake | 2 | -7/+7 | |
from master to main | |||||
2020-08-25 | Use efficient method for nested template rendering | Dirkjan Ochtman | 1 | -2/+3 | |
2020-07-23 | Fix filter docs to clarify whitespace handling | Dirkjan Ochtman | 1 | -16/+18 | |
2020-07-14 | askama tide | Jacob Rothstein | 1 | -0/+9 | |
2020-06-30 | Prune duplicate documentation | Dirkjan Ochtman | 1 | -2/+2 | |
2020-06-30 | Single capital in section titles | Dirkjan Ochtman | 1 | -3/+3 | |
2020-06-30 | Move optional filter documentation into filters section | Dirkjan Ochtman | 2 | -25/+26 | |
2020-06-29 | Add myself as an author | Dirkjan Ochtman | 1 | -1/+1 | |
2020-06-29 | Initial Askama Book (#332) | cetra3 | 11 | -0/+1018 | |