aboutsummaryrefslogtreecommitdiffstats
path: root/testing/tests/whitespace.rs (unfollow)
Commit message (Collapse)AuthorFilesLines
2022-02-16Make json filter safeLibravatar René Kijewski1-1/+3
Previously the built-in json filter had an issue that made it unsafe to use in HTML data. When used in HTML attributes an attacker who is able to supply an arbitrary string that should be JSON encoded could close the containing HTML element e.g. with `"</div>"`, and write arbitrary HTML code afterwards as long as they use apostrophes instead of quotation marks. The programmer could make this use case safe by explicitly escaping the JSON result: `{{data|json|escape}}`. In a `<script>` context the json filter was not usable at all, because in scripts HTML escaped entities are not parsed outside of XHTML documents. Without using the safe filter an attacker could close the current script using `"</script>"`. This PR fixes the problem by always escaping less-than, greater-than, ampersand, and apostrophe characters using their JSON unicode escape sequence `\u00xx`. Unless the programmer explicitly uses the safe filter, quotation marks are HTML encoded as `&quot`. In scripts the programmer should use the safe filter, otherwise not.
2020-12-12Fixed whitespace issue when generating match (#399)Libravatar Christian Vallentin1-1/+1
* Fixed #397 * Updated parser to ignore whitespace between match and when * Updated test cases * Updated Python script to generate match ws tests * Added match ws tests * Resolved rustfmt lint
2020-07-20Fix additional clippy issueLibravatar Dirkjan Ochtman1-1/+1
2020-07-20Clean up clippy issuesLibravatar Dirkjan Ochtman1-1/+1
2020-06-30Add tests for allow whitespaces patchLibravatar Ciprian Dorin Craciun1-0/+41