You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
HTML attributes have unique issues when it comes to escaping user-controlled content. I don't see an existing filter in Jinja2 that covers this common use case. (Correct me if I'm wrong.) More worryling, I'm sure too many people are relying on Jinja2's auto escaping to sanitize HTML attributes, which is actually really dangerous!
Here's an example of a custom HTML attribute filter I wrote:
@app.template_filter("html_attribute")
def html_attribute(html_attribute_string):
"""
Formats a string to be placed inside an HTML element's attribute.
Attribute sanitization is so tricky (and so prone to browser-specific flaws) that we take an extreme approach:
escape EVERYTHING that's not an alphanumeric into &#NN; syntax.
See: http://wonko.com/post/html-escaping
"""
sanitized_string = ''
for char in html_attribute_string:
if char.isalnum():
sanitized_string += char
else:
sanitized_string += "&#%s;" % ord(char)
return jinja2.Markup(sanitized_string)
If this is something you're interested in, I can submit a pull request.
The text was updated successfully, but these errors were encountered:
I'm going to close this issue. Using the escape filter without quotation marks is not supported for a good reason. There is nothing wrong with the escaping provided if you enclose your attributes in standard conformant quotes. If you do not do this, there is no escaping in the world that's going to help you.
HTML attributes have unique issues when it comes to escaping user-controlled content. I don't see an existing filter in Jinja2 that covers this common use case. (Correct me if I'm wrong.) More worryling, I'm sure too many people are relying on Jinja2's auto escaping to sanitize HTML attributes, which is actually really dangerous!
Here's an example of a custom HTML attribute filter I wrote:
If this is something you're interested in, I can submit a pull request.
The text was updated successfully, but these errors were encountered: