search

scriban / scriban

A fast, powerful, safe and lightweight scripting language and engine for .NET
BSD 2-Clause "Simplified" License
3.1k stars 350 forks source link

What's the default HTML encoding behavior (Liquid and Scriban)? #140

Closed jacobslusser closed 5 years ago

jacobslusser commented 5 years ago

Love the project.

I would like to know what the default HTML encoding behavior is for both Liquid and Scriban? i.e.

value = "<script>alert('attack!');</script>"
<h1>{{ value }}</h1>

Which of the following would it produce by default:

<h1><script>alert('attack!');</script></h1>

or

<h1>&lt;script&gt;alert(&#39;attack!&#39;);&lt;/script&gt;</h1>
xoofx commented 5 years ago

there is no encoding related to HTML, scriban is mostly agnostic about it's usage.

There is an html.escape function for example to escape a HTML string