6

I just tried this with Hiccup:

(hiccup.core/html [:h1 "<script>alert('xss');</script>"])

and to my surprise I got an alert box, Hiccup is not escaping strings by default. I see that there's a method to escape strings, but in my opinion if it's not the default, sooner or later you'll forget and be vulnerable to XSS.

Is there a way in Hiccup to have it escape strings by default?

4

2 回答 2

4

打嗝2.0.0-alpha1默认有转义。您只需要将hiccup.core/html调用更改为hiccup2.core/html,它应该可以在没有任何更改的情况下工作。

(str (hiccup2.core/html [:h1 "<script>alert('xss');</script>"]))

我已经从 1.0.5 升级了我的项目,它的工作没有任何回归。

于 2018-09-02T15:42:55.820 回答
2

不,但是core/h它的别名escape-html使它稍微方便一些:

(hiccup.core/html [:h1 (hiccup.core/h "<script>alert('xss');</script>")])
于 2015-07-11T20:37:02.003 回答