From c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8 Mon Sep 17 00:00:00 2001 From: Alex Wennerberg Date: Mon, 17 May 2021 12:33:47 -0700 Subject: Remove forward-slash escape (#486) This was based off of the OWASP XSS prevention cheat sheet -- https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary However, there isn't really any attack vector based on forward slash alone, and it's being removed in the next version of that document. > There is no proof that escaping forward slash will improve > defense against XSS, if all other special characters are escaped > properly, but it forces developers to use non-standard implementation of > the HTML escaping, what increases the risk of the mistake and makes the > implementation harder. https://github.com/OWASP/CheatSheetSeries/pull/516 --- askama_escape/src/lib.rs | 1 - 1 file changed, 1 deletion(-) (limited to 'askama_escape') diff --git a/askama_escape/src/lib.rs b/askama_escape/src/lib.rs index fcc36c6..577b793 100644 --- a/askama_escape/src/lib.rs +++ b/askama_escape/src/lib.rs @@ -129,7 +129,6 @@ impl Escaper for Html { b'&' => escaping_body!(start, i, fmt, bytes, "&"), b'"' => escaping_body!(start, i, fmt, bytes, """), b'\'' => escaping_body!(start, i, fmt, bytes, "'"), - b'/' => escaping_body!(start, i, fmt, bytes, "/"), _ => (), } } -- cgit