Menu
I just tried this with Hiccup:
(hiccup.core/html [:h1 "<script>alert('xss');</script>"])
and to my surprise I got an alert box, Hiccup is not escaping strings by default. I see that there's a method to escape strings, but in my opinion if it's not the default, sooner or later you'll forget and be vulnerable to XSS.
Is there a way in Hiccup to have it escape strings by default?
734
hiccup 2.0.0-alpha1 has escaping by default. You just need to change the hiccup.core/html call to hiccup2.core/html and it should work without any change.
(str (hiccup2.core/html [:h1 "<script>alert('xss');</script>"]))
I've upgraded my project from 1.0.5 and it's working without any regression.
69
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
