Pablo Fernandez
Reputation: 287830
Automatically escaping HTML with Hiccup, is it possible?
I just tried this with Hiccup:
(hiccup.core/html [:h1 "<script>alert('xss');</script>"])
and to my surprise I got an alert box, Hiccup is not escaping strings by default. I see that there's a method to escape strings, but in my opinion if it's not the default, sooner or later you'll forget and be vulnerable to XSS.
Is there a way in Hiccup to have it escape strings by default?
Upvotes: 6
Views: 1486
Answers (2)
Thiago Lewin
Reputation: 2828
hiccup 2.0.0-alpha1 has escaping by default. You just need to change the hiccup.core/html call to hiccup2.core/html and it should work without any change.
(str (hiccup2.core/html [:h1 "<script>alert('xss');</script>"]))
I've upgraded my project from 1.0.5 and it's working without any regression.
Upvotes: 6
John Wiseman
Reputation: 3137
No, but core/h is an alias for escape-html that makes it slightly more convenient:
(hiccup.core/html [:h1 (hiccup.core/h "<script>alert('xss');</script>")])
Upvotes: 2
Related Questions
- Inline styling with hiccup
- Is there a parser for html to hiccup structures?
- Turn hiccup into html in a reagent application
- How do I embed javascript in clojure Hiccup?
- How to prevent HTML escaping in Clojure Reagent (Hiccup like)
- How to convert HTML tag with style to Hiccup? React problems
- HTML parsing in Clojure
- How do I display html within html?
- How to add a string containing HTML with Clojure Enlive
- How Can I Output an HTML Comment in Compojure/Hiccup?