Escape user data in server-data.rst

dave1010 · web-flow · commit fb0b35d85dfa · 2025-09-24T16:34:01.000+01:00
Escape user data for HTML attributes to prevent XSS.

This is already done in the second code snippet below.
diff --git a/frontend/server-data.rst b/frontend/server-data.rst
@@ -10,7 +10,7 @@ them later in JavaScript. For example:
 
     <div class="js-user-rating"
         data-is-authenticated="{{ app.user ? 'true' : 'false' }}"
-        data-user="{{ app.user|serialize(format = 'json') }}"
+        data-user="{{ app.user|serialize(format = 'json')|e('html_attr') }}"
     >
         <!-- ... -->
     </div>

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ them later in JavaScript. For example:`
`10`	`10`
`11`	`11`	`<div class="js-user-rating"`
`12`	`12`	`data-is-authenticated="{{ app.user ? 'true' : 'false' }}"`
`13`		`- data-user="{{ app.user\|serialize(format = 'json') }}"`
	`13`	`+ data-user="{{ app.user\|serialize(format = 'json')\|e('html_attr') }}"`
`14`	`14`	`>`
`15`	`15`	`<!-- ... -->`
`16`	`16`	`</div>`