Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Escape/sanitize user input in Clojure/Compojure

Tags:

xss

clojure

compojure

I am using Clojure/Ring/Compojure-0.4/Enlive stack to build a web application.

Are there functions in this stack that would either strip HTML or HTML-encode (i.e. <a> to &lt;a&gt;) user-supplied strings in order to prevent XSS attacks?

like image 863
Alex B Avatar asked May 24 '10 14:05

Alex B

People also ask

What is escaping user input?

User input is a string. Escaping is done when you want to insert some characters into some HTML / SQL / Whatever code which insists on interpreting some characters into special functionalities.

What is XSS sanitization?

Summary. xss-sanitize allows you to accept html from untrusted sources by first filtering it through a white list. The white list filtering is fairly comprehensive, including support for css in style attributes, but there are limitations enumerated below.

How do you disinfect input in python?

To sanitize a string input which you want to store to the database (for example a customer name) you need either to escape it or plainly remove any quotes (', ") from it. This effectively prevents classical SQL injection which can happen if you are assembling an SQL query from strings passed by the user.

1 Answers

hiccup.util/escape-html in hiccup does it. That function used to be in Compojure itself (since all of the functionality in hiccup used to be part of Compojure). It's a simple enough function that you could easily write it yourself though.

(defn escape-html
  "Change special characters into HTML character entities."
  [text]
  (.. #^String (as-str text)
    (replace "&" "&amp;")
    (replace "<" "&lt;")
    (replace ">" "&gt;")
    (replace "\"" "&quot;")))

There's also clojure.contrib.string/escape, which takes a map of char -> string escape sequences and a string and escapes it for you.

user> (clojure.contrib.string/escape {\< "&lt;" \> "&gt;"} "<div>foo</div>")
"&lt;div&gt;foo&lt;/div&gt;"

This strikes me as not as useful as it could be, because you might want to escape multi-character sequences and this won't let you. But it might work for your HTML-escaping needs.

And then there are many Java libraries for this, of course. You could use StringEscapeUtils from Apache Commons:

(org.apache.commons.lang.StringEscapeUtils/escapeHtml4 some-string)

This strikes me as a bit heavyweight for this purpose though.

like image 73
Brian Carper Avatar answered Sep 22 '22 23:09

Brian Carper
Sign in to Comment

Related questions

Clojure: let scope and function return value
What's the usual naming rule in clojure?
What does it mean that the semantics (of Haskell) are affected by the inferred types (of return type polymorphism)?
When to use core.async in Clojure?
Clojure: referring to the name of the namespace
Strengths of Clojure testing frameworks?
Idiomatic way of checking if a key on a map has a value
How to use polymorphism in functional programming? [closed]
Server programming with Clojure
Clojure: reduce with three parameters
Comment indenting seems messed up in clojure-mode
Merge list of maps and combine values to sets in Clojure
Does clojure need dependency injection to make code more testable?
trying to understand a clojure "let" example
Clojure - Side Effects Happening Out Of Order
How to rename using (ns (:require :refer))
Java for Clojure users
How to convert map to URL query string in Clojure/Compojure/Ring?
Difference between mod and rem in Clojure
Lazy sequence using loop/recur?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!