From c0e75554d2e7b1f51c26f5af304a7fb64e9a69e8 Mon Sep 17 00:00:00 2001 From: Alex Wennerberg Date: Mon, 17 May 2021 12:33:47 -0700 Subject: Remove forward-slash escape (#486) This was based off of the OWASP XSS prevention cheat sheet -- https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary However, there isn't really any attack vector based on forward slash alone, and it's being removed in the next version of that document. > There is no proof that escaping forward slash will improve > defense against XSS, if all other special characters are escaped > properly, but it forces developers to use non-standard implementation of > the HTML escaping, what increases the risk of the mistake and makes the > implementation harder. https://github.com/OWASP/CheatSheetSeries/pull/516 --- testing/tests/filters.rs | 2 +- testing/tests/simple.rs | 7 ++----- 2 files changed, 3 insertions(+), 6 deletions(-) (limited to 'testing') diff --git a/testing/tests/filters.rs b/testing/tests/filters.rs index 22a8fa9..1f382f6 100644 --- a/testing/tests/filters.rs +++ b/testing/tests/filters.rs @@ -21,7 +21,7 @@ fn filter_escape() { }; assert_eq!( s.render().unwrap(), - "// my <html> is "unsafe" & \ + "// my <html> is "unsafe" & \ should be 'escaped'" ); } diff --git a/testing/tests/simple.rs b/testing/tests/simple.rs index b6dd31a..c712900 100644 --- a/testing/tests/simple.rs +++ b/testing/tests/simple.rs @@ -40,12 +40,9 @@ struct EscapeTemplate<'a> { #[test] fn test_escape() { - let s = EscapeTemplate { name: "<>&\"'/" }; + let s = EscapeTemplate { name: "<>&\"'" }; - assert_eq!( - s.render().unwrap(), - "Hello, <>&"'/!" - ); + assert_eq!(s.render().unwrap(), "Hello, <>&"'!"); } #[derive(Template)] -- cgit