|
|
|
|
|
|
by westurner
423 days ago
|
|
|
But a lack of string types (or tagged strings) results in injection vulnerabilities: OS, SQL, XSS (JS, CSS, HTML), XML, URI, query string,. How should template autoescaping be implemented [in Zig without string types or type-tagged strings]? E.g. Jinja2 implements autoescaping with MarkupSafe; strings wrapped in a Markup() type will not be autoescaped because they already have an .__html__() method. MarkupSafe:
https://pypi.org/project/MarkupSafe/ Some time ago, I started to create a project called "strypes" to teach or handle typed strings and escaping correctly. "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"
https://cwe.mitre.org/data/definitions/74.html |
|
|