rspec/rules/S5247/html/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
<!-- Laravel Blade templates -->
<p>{!! $variable !!}</p><!-- Sensitive -->

<!-- Twig templates -->
{% autoescape false %}<!-- Sensitive -->
{{ article.body|raw }}<!-- Sensitive -->

<!-- Smarty templates -->
<p>{$var nofilter}</p><!-- Sensitive -->

<!-- Django templates -->
<p>{{ variable|safe }}</p><!-- Sensitive -->
{% autoescape off %}<!-- Sensitive -->

<!-- Jinja2 templates -->
<p>{{ variable|safe }}</p><!-- Sensitive -->
{% autoescape false %}<!-- Sensitive -->

<!-- Apache Freemarker templates -->
<#ftl output_format="HTML" auto_esc=false><!-- Sensitive -->
<p>${message?no_esc}</p><!-- Sensitive -->
<#noautoesc><!-- Sensitive -->
<#noescape><!-- Sensitive -->

<!-- Jelly templates -->
<?jelly escape-by-default='false'?><!-- Sensitive -->
<j:out value="${t.name}"/><!-- Sensitive -->

<!-- Java Server Faces (JSF) -->
<h:outputText value="#{user.name}" escape="false" /><!-- Sensitive -->
<f:selectItem itemLabel="#{user.status3}" escapeItem="false" /><!-- Sensitive -->
<f:selectItems itemLabel="#{user.status3}" itemLabelEscaped="false" /><!-- Sensitive -->

<!-- JavaServer Pages (JSP) -->
<p><c:out value="${message}" escapeXml="false" /></p><!-- Sensitive -->

<!-- Java Spring -->
<spring:htmlEscape defaultHtmlEscape="false"><!-- Sensitive -->
<spring:escapeBody htmlEscape="false"><!-- Sensitive -->
<form:input path="lastName" htmlEscape="false" /><!-- Sensitive -->

<!-- Thymeleaf templates -->
<p th:utext="${message}" /><!-- Sensitive -->
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 14 May 2019, 21:49:57 Lars Svensson wrote:
References:


Blade

https://laravel.com/docs/5.8/blade


Twig

https://twig.symfony.com/doc/2.x/tags/autoescape.html

https://twig.symfony.com/doc/2.x/filters/escape.html


Smarty

https://www.smarty.net/docs/en/variable.escape.html.tpl


Freemarker

https://freemarker.apache.org/docs/dgui_misc_autoescaping.html#dgui_misc_autoescaping_disableautoesc

https://freemarker.apache.org/docs/ref_directive_escape.html

https://freemarker.apache.org/docs/ref_directive_ftl.html


Django

https://docs.djangoproject.com/en/dev/ref/templates/builtins/#autoescape


Jelly

https://wiki.jenkins.io/display/JENKINS/Jelly+and+XSS+prevention


JSF

https://docs.oracle.com/javaee/7/javaserver-faces-2-2/vdldocs-facelets/h/outputText.html

https://docs.oracle.com/javaee/6/javaserverfaces/2.1/docs/vdldocs/facelets/f/selectItem.html

https://docs.oracle.com/javaee/6/javaserverfaces/2.1/docs/vdldocs/facelets/f/selectItems.html


Spring

https://docs.spring.io/spring/docs/1.2.x/taglib/tag/HtmlEscapeTag.html

https://docs.spring.io/spring/docs/1.1.5/taglib/tag/EscapeBodyTag.html


=== on 14 Aug 2019, 17:24:19 Pierre-Loup Tristant wrote:
Jinja2


https://jinja.palletsprojects.com/en/2.9.x/templates/#autoescape-overrides

https://jinja.palletsprojects.com/en/2.9.x/templates/#safe

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
rename web to html 2021-02-10 17:04:49 +01:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`<!-- Laravel Blade templates -->`
			`<p>{!! $variable !!}</p><!-- Sensitive -->`

			`<!-- Twig templates -->`
			`{% autoescape false %}<!-- Sensitive -->`
			`{{ article.body\|raw }}<!-- Sensitive -->`

			`<!-- Smarty templates -->`
			`<p>{$var nofilter}</p><!-- Sensitive -->`

			`<!-- Django templates -->`
			`<p>{{ variable\|safe }}</p><!-- Sensitive -->`
			`{% autoescape off %}<!-- Sensitive -->`

			`<!-- Jinja2 templates -->`
			`<p>{{ variable\|safe }}</p><!-- Sensitive -->`
			`{% autoescape false %}<!-- Sensitive -->`

			`<!-- Apache Freemarker templates -->`
			`<#ftl output_format="HTML" auto_esc=false><!-- Sensitive -->`
			`<p>${message?no_esc}</p><!-- Sensitive -->`
			`<#noautoesc><!-- Sensitive -->`
			`<#noescape><!-- Sensitive -->`

			`<!-- Jelly templates -->`
			`<?jelly escape-by-default='false'?><!-- Sensitive -->`
			`<j:out value="${t.name}"/><!-- Sensitive -->`

			`<!-- Java Server Faces (JSF) -->`
			`<h:outputText value="#{user.name}" escape="false" /><!-- Sensitive -->`
			`<f:selectItem itemLabel="#{user.status3}" escapeItem="false" /><!-- Sensitive -->`
			`<f:selectItems itemLabel="#{user.status3}" itemLabelEscaped="false" /><!-- Sensitive -->`

			`<!-- JavaServer Pages (JSP) -->`
			`<p><c:out value="${message}" escapeXml="false" /></p><!-- Sensitive -->`

			`<!-- Java Spring -->`
			`<spring:htmlEscape defaultHtmlEscape="false"><!-- Sensitive -->`
			`<spring:escapeBody htmlEscape="false"><!-- Sensitive -->`
			`<form:input path="lastName" htmlEscape="false" /><!-- Sensitive -->`

			`<!-- Thymeleaf templates -->`
			`<p th:utext="${message}" /><!-- Sensitive -->`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 14 May 2019, 21:49:57 Lars Svensson wrote:`
			`References:`


			`Blade`

			`https://laravel.com/docs/5.8/blade`


			`Twig`

			`https://twig.symfony.com/doc/2.x/tags/autoescape.html`

			`https://twig.symfony.com/doc/2.x/filters/escape.html`


			`Smarty`

			`https://www.smarty.net/docs/en/variable.escape.html.tpl`


			`Freemarker`

			`https://freemarker.apache.org/docs/dgui_misc_autoescaping.html#dgui_misc_autoescaping_disableautoesc`

			`https://freemarker.apache.org/docs/ref_directive_escape.html`

			`https://freemarker.apache.org/docs/ref_directive_ftl.html`


			`Django`

			`https://docs.djangoproject.com/en/dev/ref/templates/builtins/#autoescape`


			`Jelly`

			`https://wiki.jenkins.io/display/JENKINS/Jelly+and+XSS+prevention`


			`JSF`

			`https://docs.oracle.com/javaee/7/javaserver-faces-2-2/vdldocs-facelets/h/outputText.html`

			`https://docs.oracle.com/javaee/6/javaserverfaces/2.1/docs/vdldocs/facelets/f/selectItem.html`

			`https://docs.oracle.com/javaee/6/javaserverfaces/2.1/docs/vdldocs/facelets/f/selectItems.html`


			`Spring`

			`https://docs.spring.io/spring/docs/1.2.x/taglib/tag/HtmlEscapeTag.html`

			`https://docs.spring.io/spring/docs/1.1.5/taglib/tag/EscapeBodyTag.html`



			`=== on 14 Aug 2019, 17:24:19 Pierre-Loup Tristant wrote:`
			`Jinja2`


			`https://jinja.palletsprojects.com/en/2.9.x/templates/#autoescape-overrides`

			`https://jinja.palletsprojects.com/en/2.9.x/templates/#safe`

			`include::../comments-and-links.adoc[]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`