Investigate and document how Qute can help with preventing stored XSS attacks

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.

https://quarkus.io

Apache License 2.0

13.56k stars 2.62k forks source link

Investigate and document how Qute can help with preventing stored XSS attacks #28667

Open sberyozkin opened 1 year ago

sberyozkin commented 1 year ago

Description

While the new CSRF prevention feature can help with handling reflected XSS attacks, Qute can help with getting the recorded HTML fragments sanitized via some of its customization options - it needs to be verified and documented

Implementation ideas

No response

quarkus-bot[bot] commented 1 year ago

/cc @mkouba

mkouba commented 1 year ago

For the record, for HTML and XML templates the ', ", <, > and & characters are escaped by default if a template variant is set, see https://quarkus.io/guides/qute-reference#character-escapes for more details.