What is this feature about (expected vs actual behaviour)?
JavaScript elements will be removed in pre/code environment. In my opinion, content in pre/code tags should be left untouched (apart from character escaping).
I'm not sure if it's a bug or intended behaviour. Maybe I should not use anti-xss on pre/code tags? This would make the usage much more complicated, because it's not possible anymore to insert any html into the xss_clean() function.
paxter
commented
2 years ago
What is this feature about (expected vs actual behaviour)?
JavaScript elements will be removed in pre/code environment. In my opinion, content in pre/code tags should be left untouched (apart from character escaping).
How can I reproduce it?
Result:
Does it take minutes, hours or days to fix?
I don't know.
Any additional information?
I'm not sure if it's a bug or intended behaviour. Maybe I should not use anti-xss on pre/code tags? This would make the usage much more complicated, because it's not possible anymore to insert any html into the xss_clean() function.