Add escaping of dynamic content
This commit is contained in:
@@ -1,5 +1,4 @@
|
|||||||
input validation to avoid XSS and injection
|
|
||||||
only allow signup, login ecc over HTTPS
|
only allow signup, login ecc over HTTPS
|
||||||
session expiration
|
session expiration
|
||||||
mark cookies as secure
|
mark cookies as secure
|
||||||
consider SameSite=Strict
|
consider SameSite=Stricts
|
||||||
+2
-2
@@ -55,10 +55,10 @@ let main =
|
|||||||
|
|
||||||
<div class="item">
|
<div class="item">
|
||||||
<div>
|
<div>
|
||||||
<a href=\'"'\link\'"'>\post.title</a>
|
<a href=\'"'\link\'"'>\escape(post.title)</a>
|
||||||
</div>
|
</div>
|
||||||
<div>
|
<div>
|
||||||
<span>\post.date</span> | <span>\post.num_comments comments</span>
|
<span>\escape(post.date)</span> | <span>\escape(post.num_comments) comments</span>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
}
|
}
|
||||||
|
|||||||
+1
-1
@@ -3,7 +3,7 @@ procedure page(title, login_user_id, style, main)
|
|||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
<meta charset="UTF-8" />
|
<meta charset="UTF-8" />
|
||||||
<title>CN - \title</title>
|
<title>CN - \escape(title)</title>
|
||||||
<style>
|
<style>
|
||||||
body {
|
body {
|
||||||
line-height: 200%;
|
line-height: 200%;
|
||||||
|
|||||||
Reference in New Issue
Block a user