ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5247/html/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

137 lines
3.1 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
----
<!-- Laravel Blade templates -->
<p>{!! $variable !!}</p><!-- Sensitive -->
<!-- Twig templates -->
{% autoescape false %}<!-- Sensitive -->
{{ article.body|raw }}<!-- Sensitive -->
<!-- Smarty templates -->
<p>{$var nofilter}</p><!-- Sensitive -->
<!-- Django templates -->
<p>{{ variable|safe }}</p><!-- Sensitive -->
{% autoescape off %}<!-- Sensitive -->
<!-- Jinja2 templates -->
<p>{{ variable|safe }}</p><!-- Sensitive -->
{% autoescape false %}<!-- Sensitive -->
<!-- Apache Freemarker templates -->
<#ftl output_format="HTML" auto_esc=false><!-- Sensitive -->
<p>${message?no_esc}</p><!-- Sensitive -->
<#noautoesc><!-- Sensitive -->
<#noescape><!-- Sensitive -->
<!-- Jelly templates -->
<?jelly escape-by-default='false'?><!-- Sensitive -->
<j:out value="${t.name}"/><!-- Sensitive -->
<!-- Java Server Faces (JSF) -->
<h:outputText value="#{user.name}" escape="false" /><!-- Sensitive -->
<f:selectItem itemLabel="#{user.status3}" escapeItem="false" /><!-- Sensitive -->
<f:selectItems itemLabel="#{user.status3}" itemLabelEscaped="false" /><!-- Sensitive -->
<!-- JavaServer Pages (JSP) -->
<p><c:out value="${message}" escapeXml="false" /></p><!-- Sensitive -->
<!-- Java Spring -->
<spring:htmlEscape defaultHtmlEscape="false"><!-- Sensitive -->
<spring:escapeBody htmlEscape="false"><!-- Sensitive -->
<form:input path="lastName" htmlEscape="false" /><!-- Sensitive -->
<!-- Thymeleaf templates -->
<p th:utext="${message}" /><!-- Sensitive -->
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 14 May 2019, 21:49:57 Lars Svensson wrote:
References:
Blade
https://laravel.com/docs/5.8/blade
Twig
https://twig.symfony.com/doc/2.x/tags/autoescape.html
https://twig.symfony.com/doc/2.x/filters/escape.html
Smarty
https://www.smarty.net/docs/en/variable.escape.html.tpl
Freemarker
https://freemarker.apache.org/docs/dgui_misc_autoescaping.html#dgui_misc_autoescaping_disableautoesc
https://freemarker.apache.org/docs/ref_directive_escape.html
https://freemarker.apache.org/docs/ref_directive_ftl.html
Django
https://docs.djangoproject.com/en/dev/ref/templates/builtins/#autoescape
Jelly
https://wiki.jenkins.io/display/JENKINS/Jelly+and+XSS+prevention
JSF
https://docs.oracle.com/javaee/7/javaserver-faces-2-2/vdldocs-facelets/h/outputText.html
https://docs.oracle.com/javaee/6/javaserverfaces/2.1/docs/vdldocs/facelets/f/selectItem.html
https://docs.oracle.com/javaee/6/javaserverfaces/2.1/docs/vdldocs/facelets/f/selectItems.html
Spring
https://docs.spring.io/spring/docs/1.2.x/taglib/tag/HtmlEscapeTag.html
https://docs.spring.io/spring/docs/1.1.5/taglib/tag/EscapeBodyTag.html
=== on 14 Aug 2019, 17:24:19 Pierre-Loup Tristant wrote:
Jinja2
https://jinja.palletsprojects.com/en/2.9.x/templates/#autoescape-overrides
https://jinja.palletsprojects.com/en/2.9.x/templates/#safe
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink