XSS prevention

[kidogo]

I'd really appreciate to hear other Sitebricks users do for XSS prevention and if there is a way to ensure HTML escaping of all data inserted into HTML templates except when you explicitly want to output raw text.

IMHO it would have been a huge security boost if all ${value} were HTML escaped by Sitebricks by default, and require use of something like @RawText() to output raw text.

[Dhanji R. Prasanna]

Yea this is a great point. (Sorry about the late reply--I was on vacation)

We need to do a roadmap for 0.9. I will definitely have escaping by default in for it.

On Wed Jan 07 2015 at 5:04:48 AM kidogo <arnold...@gmail.com> wrote:

I'd really appreciate to hear other Sitebricks users do for XSS prevention and if there is a way to ensure HTML escaping of all data inserted into HTML templates except when you explicitly want to output raw text.

IMHO it would have been a huge security boost if all ${value} were HTML escaped by Sitebricks by default, and require use of something like @RawText() to output raw text.

--
You received this message because you are subscribed to the Google Groups "Google Sitebricks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-sitebri...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.