You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a Clojure geek, I have loved using this library when I'm in python, but I've realized I can't do that for anything that might take arbitrary input from the web, as I could open the app up to an html injection attack. Therefore, I think it would be prudent that the default behavior of cottonmouth.html.render et al would be to santize html with something existing python lib (perhaps? https://github.com/mozilla/bleach). It will be important in this to have some way of supporting inlining html strings, marking them as safe, or having a separate "safe" function call (or should it be called danger?). So that's something to think out. But again, I think this is a rather important issue if you want folks to use this library for anything serious/general.
The text was updated successfully, but these errors were encountered:
As a Clojure geek, I have loved using this library when I'm in python, but I've realized I can't do that for anything that might take arbitrary input from the web, as I could open the app up to an html injection attack. Therefore, I think it would be prudent that the default behavior of
cottonmouth.html.renderet al would be to santize html with something existing python lib (perhaps? https://github.com/mozilla/bleach). It will be important in this to have some way of supporting inlining html strings, marking them as safe, or having a separate "safe" function call (or should it be called danger?). So that's something to think out. But again, I think this is a rather important issue if you want folks to use this library for anything serious/general.The text was updated successfully, but these errors were encountered: