Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escaping attributes, css, javascript, url's #129

Open
danielcompton opened this issue Feb 4, 2016 · 1 comment
Open

Escaping attributes, css, javascript, url's #129

danielcompton opened this issue Feb 4, 2016 · 1 comment

Comments

@danielcompton
Copy link

The Owasp XSS cheatsheet talks about escaping html, attributes, css, javascript, and URLs. It seems like Hiccup does html and url escaping, but doesn't provide functions for escaping the others. Is my understanding correct, and would you be open to a patch for this? I'm not quite sure yet whether it would be possible to integrate it into the escape-html function, or if they would need to be separate functions.

Relates to #122.
@weavejester
Copy link
Owner

The OWASP rules seem rather aggressive. They might conceivably protect against possible bugs in the browser, but they also make the output harder to read. I think I'd want this to be implemented as a non-default option, once #122 is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@weavejester @danielcompton