search

Keats / tera

A template engine for Rust based on Jinja2/Django
http://keats.github.io/tera/
MIT License
3.36k stars 280 forks source link

linebreaksbr is not safe - add `html_encode` filter? #906

Closed schungx closed 3 months ago

schungx commented 3 months ago

Right now, if I use linebreaksbr, I have to pair it with the safe filter...

However, that opens me up to injection attacks, as the text itself may contain HTML tags and/or scripts etc...

There is no html_encode filter, otherwise I can simply do:

{{ value | html_encode | linebreaksbr | safe }}
schungx commented 3 months ago

There is the escape filter. Sorry.