itsscb/askama
1
0
Fork 0
mirror of https://github.com/askama-rs/askama.git synced 2025-09-29 22:11:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,477 Commits 4 Branches 40 Tags
Commit Graph

35 Commits

Author SHA1 Message Date
Guillaume Gomez
2d80cc3524 Rename everything to rinja 2024-06-17 15:58:52 +02:00
Guillaume Gomez
ed512051cf Add deref builtin filter 2024-05-02 20:34:12 +02:00
Guillaume Gomez
12e178ce40 Add test for as_ref builtin filter 2024-01-12 10:38:15 +01:00
Guillaume Gomez
4233b3114f Update tests for whitespace characters handling 2023-03-09 13:35:00 +01:00
Dirkjan Ochtman
3003d86264
Apply clippy suggestions for 1.67 (#769) 2023-01-30 09:51:23 +01:00
Dirkjan Ochtman
6f52d0eef5 chore: remove allow(clippy::disallowed_names) 2022-11-07 11:14:43 +01:00
Dirkjan Ochtman
ee4dbf0d8d chore: apply clippy suggestions for 1.65 2022-11-07 11:14:43 +01:00
René Kijewski
29f0c0607a Make json filter safe 
Previously the built-in json filter had an issue that made it unsafe to
use in HTML data. When used in HTML attributes an attacker who is able
to supply an arbitrary string that should be JSON encoded could close
the containing HTML element e.g. with `"</div>"`, and write arbitrary
HTML code afterwards as long as they use apostrophes instead of
quotation marks. The programmer could make this use case safe by
explicitly escaping the JSON result: `{{data|json|escape}}`.

In a `<script>` context the json filter was not usable at all, because
in scripts HTML escaped entities are not parsed outside of XHTML
documents. Without using the safe filter an attacker could close the
current script using `"</script>"`.

This PR fixes the problem by always escaping less-than, greater-than,
ampersand, and apostrophe characters using their JSON unicode escape
sequence `\u00xx`. Unless the programmer explicitly uses the safe
filter, quotation marks are HTML encoded as `&quot`. In scripts the
programmer should use the safe filter, otherwise not.
 2022-02-16 14:51:39 +01:00
vallentin
8063e112a6 Added optional escaper tests 2021-11-19 15:30:10 +01:00
Alex Wennerberg
c0e75554d2
Remove forward-slash escape (#486) 
This was based off of the OWASP XSS prevention cheat sheet --
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary

However, there isn't really any attack vector based on forward slash alone, and
it's being removed in the next version of that document.

> There is no proof that escaping forward slash will improve
> defense against XSS, if all other special characters are escaped
> properly, but it forces developers to use non-standard implementation of
> the HTML escaping, what increases the risk of the mistake and makes the
> implementation harder.

https://github.com/OWASP/CheatSheetSeries/pull/516
 2021-05-17 21:33:47 +02:00
Yuxuan Shui
121212bf29 Add integration tests for into_{f64,isize} 
Signed-off-by: Yuxuan Shui <yshuiv7@gmail.com>
 2020-09-16 11:49:16 +02:00
Andrew Dona-Couch
42c4cb1d87 Add fmt filter that swaps the first two arguments to format!(). 
This allows a more natural filter usage: `{{ val | fmt("{:?}") }}`
as well as enabling convenient filter composition:
`{{ price | to_f64 | fmt("${:.2}") | center }}`
 2020-07-14 20:48:15 +02:00
Dirkjan Ochtman
ea2034e806 Clean up clippy warnings 2020-01-02 22:58:13 +01:00
Dirkjan Ochtman
5549f9a3cd Use 2018 edition idioms 2018-12-08 21:43:20 +01:00
Dirkjan Ochtman
cf8dc532f0 Remove unused macro_use attributes 2018-12-08 21:43:20 +01:00
Juan Aguilar Santillana
cdafc8d641 Fix cargo fmt 2018-12-07 20:18:16 +01:00
Dirkjan Ochtman
6c442903c6 Disable tests that need dependencies by default 2018-11-04 22:36:45 +01:00
Dirkjan Ochtman
ba91884d76 Update formatting for rust 1.29.0 rustfmt 2018-09-14 13:44:33 +02:00
Dirkjan Ochtman
3011a7ff16 Remove accidentally committed debugging cruft 2018-07-02 09:48:38 +02:00
Dirkjan Ochtman
c44869d7c6 Add test for 'truncate' filter 2018-06-25 14:46:07 +02:00
Dirkjan Ochtman
31b90ccc65 Fix formatting with cargo fmt 2018-06-21 12:19:54 +02:00
Dirkjan Ochtman
76b99dfc7d Add test for filter in let statement 2018-04-19 14:32:19 +02:00
Dirkjan Ochtman
02266bed68 Add test for nested filters with references (see #76) 2018-04-17 17:16:24 +02:00
Dirkjan Ochtman
83cc6e0ca3 Apply suggestions from rustfmt to improve style 2017-11-21 20:57:56 +01:00
Dirkjan Ochtman
7c29bf765f Extend escaping according to OWASP recommendations 2017-09-07 20:42:55 +02:00
Dirkjan Ochtman
e559ed4210 Move JSON test into filters test module 2017-09-07 20:42:54 +02:00
Dirkjan Ochtman
ee9db1dbf4 Make ext attribute mandatory for source-specified templates 2017-09-07 20:42:54 +02:00
defyrlt
7d2d7718aa Add join filter & tests for it 2017-09-02 13:34:52 +02:00
Dirkjan Ochtman
c8b14c6d0d Add test case for user-defined filters 2017-08-24 20:22:32 +02:00
Dirkjan Ochtman
1e0ee705a8 Propagate format errors and rename render_to() to render_into() 2017-08-10 09:27:33 +02:00
Dirkjan Ochtman
664398b225 Hide askama_derive dependency inside askama (fixes #2) 2017-03-06 22:40:04 +01:00
Dirkjan Ochtman
aa98f61fa7 Discard trailing newlines from templates by default 
This matches Jinja's behavior, and seems sensible.
 2017-03-03 16:44:54 +01:00
Dirkjan Ochtman
f2ea1408cf Add test for format filter 2017-02-18 14:02:59 +01:00
Dirkjan Ochtman
fe53034c38 Remove unneeded feature(proc_macro) annotation 2017-02-02 22:21:15 +01:00
Dirkjan Ochtman
2000af8901 Add basic test case for filters 2017-01-06 13:24:44 +01:00