Comments (7)
Why?
from hiccup.
Most libraries that handle escaping do this; here is a simple mustache example to illustrate why:
<a href='{{untrustedData}}'>Click Me</a>
Apostrophes are technically valid replacements for quotes in this example, and if the untrusted data does not escape apostrophes and the untrusted data happens to be #' onclick='while(true){alert("hahahaha");}
you have opened your page to an attack.
Basically, it is just considered best practice to escape apostrophes as well as quotes, amps, and lg/gt.
from hiccup.
So the use case is if Hiccup is used in conjunction with a library that uses single quotes?
I think we'll need to take into account the special case of HTML4, which doesn't have '
from hiccup.
Full disclosure - I am updating a test that uses Hiccup to produce HTML output, and I validate the output for our benchmarks; I am running into the problem that we consider the test to have failed validation if the apostrophe is not escaped (again, web's "best practices" is rule of law for our validations).
HTML4 should have '
, '
, or '
; would you be willing to use one of those?
from hiccup.
Yep, it's recommended to use '
by the w3, though of course all the examples you give are just the same character in different bases.
Something like:
(replace "'" (if (= *html-mode* :sgml) "'" "'"))
from hiccup.
Sounds good to me.
from hiccup.
Fixed in 9d39730
from hiccup.
Related Issues (20)
- Replace license.html with license.txt (for artifact scanners) HOT 9
- Passing nil query param values to to url-encode throws exception
- New version? HOT 15
- :script async HOT 1
- Clojerl support HOT 2
- Historical question: Why is hiccup called hiccup? HOT 2
- link to api docs in project description is broken HOT 3
- Please remove.
- Fragment equivalent for the back end. HOT 2
- *escape-strings?* HOT 1
- hiccup.core/h not backward-compatible HOT 1
- Getting RuntimeException: no such var util/raw-string HOT 2
- Parameters for iframe src attribute HOT 8
- clj-kondo exported config HOT 4
- void-tags might not be complete HOT 3
- "Method code too large!" when compiling the hiccup2.core/html macro HOT 1
- Exponential increase in generated code when there are multiple nested hiccup2.core/html calls HOT 4
- Style attribute with a map as value: doesn't evaluate code within the map
- Sentence needed in readme.md to clarify status of original hiccup namespaces, when using hiccup2? HOT 3
- API docs to update to RC3?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hiccup.