weavejester
commented
8 years ago The OWASP rules seem rather aggressive. They might conceivably protect against possible bugs in the browser, but they also make the output harder to read. I think I'd want this to be implemented as a non-default option, once #122 is merged.
The Owasp XSS cheatsheet talks about escaping html, attributes, css, javascript, and URLs. It seems like Hiccup does html and url escaping, but doesn't provide functions for escaping the others. Is my understanding correct, and would you be open to a patch for this? I'm not quite sure yet whether it would be possible to integrate it into the
escape-htmlfunction, or if they would need to be separate functions.Relates to #122.