Automatically escaping HTML with Hiccup, is it possible?

About

Asked 11/7, 2015 at 8:5 Answered 2/9, 2018 at 15:42

I just tried this with Hiccup:

(hiccup.core/html [:h1 "<script>alert('xss');</script>"])

and to my surprise I got an alert box, Hiccup is not escaping strings by default. I see that there's a method to escape strings, but in my opinion if it's not the default, sooner or later you'll forget and be vulnerable to XSS.

Is there a way in Hiccup to have it escape strings by default?

Petersham answered 11/7, 2015 at 8:5 Comment(1)

HTH: github.com/weavejester/hiccup/issues/5 – Ovipositor 11/7, 2015 at 21:51

hiccup 2.0.0-alpha1 has escaping by default. You just need to change the hiccup.core/html call to hiccup2.core/html and it should work without any change.

(str (hiccup2.core/html [:h1 "<script>alert('xss');</script>"]))

I've upgraded my project from 1.0.5 and it's working without any regression.

Gerhart answered 2/9, 2018 at 15:42 Comment(0)

No, but core/h is an alias for escape-html that makes it slightly more convenient:

(hiccup.core/html [:h1 (hiccup.core/h "<script>alert('xss');</script>")])

Ionic answered 11/7, 2015 at 20:37 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags